agora inbox for [email protected]help / color / mirror / Atom feed
[PATCH v47 2/9] give options bitmask to table_delete/table_update 208+ messages / 2 participants [nested] [flat]
* [PATCH v47 2/9] give options bitmask to table_delete/table_update @ 2026-03-30 11:27 Álvaro Herrera <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Álvaro Herrera @ 2026-03-30 11:27 UTC (permalink / raw) --- src/backend/access/heap/heapam.c | 16 ++++++++++------ src/backend/access/heap/heapam_handler.c | 13 ++++++++----- src/backend/access/table/tableam.c | 6 +++--- src/backend/executor/nodeModifyTable.c | 9 +++++++-- src/include/access/heapam.h | 7 ++++--- src/include/access/tableam.h | 23 +++++++++++++++-------- 6 files changed, 47 insertions(+), 27 deletions(-) diff --git a/src/backend/access/heap/heapam.c b/src/backend/access/heap/heapam.c index d34136d2e94..0645b2d5f58 100644 --- a/src/backend/access/heap/heapam.c +++ b/src/backend/access/heap/heapam.c @@ -2862,8 +2862,8 @@ xmax_infomask_changed(uint16 new_infomask, uint16 old_infomask) */ TM_Result heap_delete(Relation relation, const ItemPointerData *tid, - CommandId cid, Snapshot crosscheck, bool wait, - TM_FailureData *tmfd, bool changingPart) + CommandId cid, uint32 options, Snapshot crosscheck, + bool wait, TM_FailureData *tmfd) { TM_Result result; TransactionId xid = GetCurrentTransactionId(); @@ -2876,6 +2876,7 @@ heap_delete(Relation relation, const ItemPointerData *tid, TransactionId new_xmax; uint16 new_infomask, new_infomask2; + bool changingPart = (options & TABLE_DELETE_CHANGING_PARTITION) != 0; bool have_tuple_lock = false; bool iscombo; bool all_visible_cleared = false; @@ -3290,9 +3291,11 @@ simple_heap_delete(Relation relation, const ItemPointerData *tid) TM_FailureData tmfd; result = heap_delete(relation, tid, - GetCurrentCommandId(true), InvalidSnapshot, + GetCurrentCommandId(true), + 0, + InvalidSnapshot, true /* wait for commit */ , - &tmfd, false /* changingPart */ ); + &tmfd); switch (result) { case TM_SelfModified: @@ -3331,7 +3334,7 @@ simple_heap_delete(Relation relation, const ItemPointerData *tid) */ TM_Result heap_update(Relation relation, const ItemPointerData *otid, HeapTuple newtup, - CommandId cid, Snapshot crosscheck, bool wait, + CommandId cid, uint32 options, Snapshot crosscheck, bool wait, TM_FailureData *tmfd, LockTupleMode *lockmode, TU_UpdateIndexes *update_indexes) { @@ -4585,7 +4588,8 @@ simple_heap_update(Relation relation, const ItemPointerData *otid, HeapTuple tup LockTupleMode lockmode; result = heap_update(relation, otid, tup, - GetCurrentCommandId(true), InvalidSnapshot, + GetCurrentCommandId(true), 0, + InvalidSnapshot, true /* wait for commit */ , &tmfd, &lockmode, update_indexes); switch (result) diff --git a/src/backend/access/heap/heapam_handler.c b/src/backend/access/heap/heapam_handler.c index cdd153c6b6d..69debeff516 100644 --- a/src/backend/access/heap/heapam_handler.c +++ b/src/backend/access/heap/heapam_handler.c @@ -313,21 +313,23 @@ heapam_tuple_complete_speculative(Relation relation, TupleTableSlot *slot, static TM_Result heapam_tuple_delete(Relation relation, ItemPointer tid, CommandId cid, - Snapshot snapshot, Snapshot crosscheck, bool wait, - TM_FailureData *tmfd, bool changingPart) + uint32 options, Snapshot snapshot, Snapshot crosscheck, + bool wait, TM_FailureData *tmfd) { /* * Currently Deleting of index tuples are handled at vacuum, in case if * the storage itself is cleaning the dead tuples by itself, it is the * time to call the index tuple deletion also. */ - return heap_delete(relation, tid, cid, crosscheck, wait, tmfd, changingPart); + return heap_delete(relation, tid, cid, options, crosscheck, wait, + tmfd); } static TM_Result heapam_tuple_update(Relation relation, ItemPointer otid, TupleTableSlot *slot, - CommandId cid, Snapshot snapshot, Snapshot crosscheck, + CommandId cid, uint32 options pg_attribute_unused(), + Snapshot snapshot, Snapshot crosscheck, bool wait, TM_FailureData *tmfd, LockTupleMode *lockmode, TU_UpdateIndexes *update_indexes) { @@ -339,7 +341,8 @@ heapam_tuple_update(Relation relation, ItemPointer otid, TupleTableSlot *slot, slot->tts_tableOid = RelationGetRelid(relation); tuple->t_tableOid = slot->tts_tableOid; - result = heap_update(relation, otid, tuple, cid, crosscheck, wait, + result = heap_update(relation, otid, tuple, cid, options, + crosscheck, wait, tmfd, lockmode, update_indexes); ItemPointerCopy(&tuple->t_self, &slot->tts_tid); diff --git a/src/backend/access/table/tableam.c b/src/backend/access/table/tableam.c index 86481d7c029..68ff0966f1c 100644 --- a/src/backend/access/table/tableam.c +++ b/src/backend/access/table/tableam.c @@ -320,9 +320,9 @@ simple_table_tuple_delete(Relation rel, ItemPointer tid, Snapshot snapshot) result = table_tuple_delete(rel, tid, GetCurrentCommandId(true), - snapshot, InvalidSnapshot, + 0, snapshot, InvalidSnapshot, true /* wait for commit */ , - &tmfd, false /* changingPart */ ); + &tmfd); switch (result) { @@ -369,7 +369,7 @@ simple_table_tuple_update(Relation rel, ItemPointer otid, result = table_tuple_update(rel, otid, slot, GetCurrentCommandId(true), - snapshot, InvalidSnapshot, + 0, snapshot, InvalidSnapshot, true /* wait for commit */ , &tmfd, &lockmode, update_indexes); diff --git a/src/backend/executor/nodeModifyTable.c b/src/backend/executor/nodeModifyTable.c index 582bcc367c0..76728f08734 100644 --- a/src/backend/executor/nodeModifyTable.c +++ b/src/backend/executor/nodeModifyTable.c @@ -1522,14 +1522,18 @@ ExecDeleteAct(ModifyTableContext *context, ResultRelInfo *resultRelInfo, ItemPointer tupleid, bool changingPart) { EState *estate = context->estate; + uint32 options = 0; + + if (changingPart) + options |= TABLE_DELETE_CHANGING_PARTITION; return table_tuple_delete(resultRelInfo->ri_RelationDesc, tupleid, estate->es_output_cid, + options, estate->es_snapshot, estate->es_crosscheck_snapshot, true /* wait for commit */ , - &context->tmfd, - changingPart); + &context->tmfd); } /* @@ -2331,6 +2335,7 @@ lreplace: */ result = table_tuple_update(resultRelationDesc, tupleid, slot, estate->es_output_cid, + 0, estate->es_snapshot, estate->es_crosscheck_snapshot, true /* wait for commit */ , diff --git a/src/include/access/heapam.h b/src/include/access/heapam.h index 6018dacf0f7..77560b22877 100644 --- a/src/include/access/heapam.h +++ b/src/include/access/heapam.h @@ -382,13 +382,14 @@ extern void heap_multi_insert(Relation relation, TupleTableSlot **slots, int ntuples, CommandId cid, uint32 options, BulkInsertState bistate); extern TM_Result heap_delete(Relation relation, const ItemPointerData *tid, - CommandId cid, Snapshot crosscheck, bool wait, - TM_FailureData *tmfd, bool changingPart); + CommandId cid, uint32 options, Snapshot crosscheck, + bool wait, TM_FailureData *tmfd); extern void heap_finish_speculative(Relation relation, const ItemPointerData *tid); extern void heap_abort_speculative(Relation relation, const ItemPointerData *tid); extern TM_Result heap_update(Relation relation, const ItemPointerData *otid, HeapTuple newtup, - CommandId cid, Snapshot crosscheck, bool wait, + CommandId cid, uint32 options, + Snapshot crosscheck, bool wait, TM_FailureData *tmfd, LockTupleMode *lockmode, TU_UpdateIndexes *update_indexes); extern TM_Result heap_lock_tuple(Relation relation, HeapTuple tuple, diff --git a/src/include/access/tableam.h b/src/include/access/tableam.h index ab2e7fc1dfe..6cdd949f58d 100644 --- a/src/include/access/tableam.h +++ b/src/include/access/tableam.h @@ -287,6 +287,11 @@ typedef struct TM_IndexDeleteOp /* Follow update chain and lock latest version of tuple */ #define TUPLE_LOCK_FLAG_FIND_LAST_VERSION (1 << 1) +/* "options" flag bits for table_tuple_delete */ +#define TABLE_DELETE_CHANGING_PARTITION (1 << 0) + +/* "options" flag bits for table_tuple_update */ +/* XXX none at present */ /* Typedef for callback function for table_index_build_scan */ typedef void (*IndexBuildCallback) (Relation index, @@ -558,17 +563,18 @@ typedef struct TableAmRoutine TM_Result (*tuple_delete) (Relation rel, ItemPointer tid, CommandId cid, + uint32 options, Snapshot snapshot, Snapshot crosscheck, bool wait, - TM_FailureData *tmfd, - bool changingPart); + TM_FailureData *tmfd); /* see table_tuple_update() for reference about parameters */ TM_Result (*tuple_update) (Relation rel, ItemPointer otid, TupleTableSlot *slot, CommandId cid, + uint32 options, Snapshot snapshot, Snapshot crosscheck, bool wait, @@ -1533,12 +1539,12 @@ table_multi_insert(Relation rel, TupleTableSlot **slots, int nslots, */ static inline TM_Result table_tuple_delete(Relation rel, ItemPointer tid, CommandId cid, - Snapshot snapshot, Snapshot crosscheck, bool wait, - TM_FailureData *tmfd, bool changingPart) + uint32 options, Snapshot snapshot, Snapshot crosscheck, + bool wait, TM_FailureData *tmfd) { - return rel->rd_tableam->tuple_delete(rel, tid, cid, + return rel->rd_tableam->tuple_delete(rel, tid, cid, options, snapshot, crosscheck, - wait, tmfd, changingPart); + wait, tmfd); } /* @@ -1578,12 +1584,13 @@ table_tuple_delete(Relation rel, ItemPointer tid, CommandId cid, */ static inline TM_Result table_tuple_update(Relation rel, ItemPointer otid, TupleTableSlot *slot, - CommandId cid, Snapshot snapshot, Snapshot crosscheck, + CommandId cid, uint32 options, + Snapshot snapshot, Snapshot crosscheck, bool wait, TM_FailureData *tmfd, LockTupleMode *lockmode, TU_UpdateIndexes *update_indexes) { return rel->rd_tableam->tuple_update(rel, otid, slot, - cid, snapshot, crosscheck, + cid, options, snapshot, crosscheck, wait, tmfd, lockmode, update_indexes); } -- 2.47.3 --2fxmamo6mu2qbxgv Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="v47-0003-Add-CONCURRENTLY-option-to-REPACK-command.patch" ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 208+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 208+ messages in thread
end of thread, other threads:[~2026-07-15 08:37 UTC | newest] Thread overview: 208+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2026-03-30 11:27 [PATCH v47 2/9] give options bitmask to table_delete/table_update Álvaro Herrera <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox