mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-09-30 18:51:20 +02:00
5770172cb0
The ability to create like-named objects in different schemas opens up
the potential for users to change the behavior of other users' queries,
maliciously or accidentally. When you connect to a PostgreSQL server,
you should remove from your search_path any schema for which a user
other than yourself or superusers holds the CREATE privilege. If you do
not, other users holding CREATE privilege can redefine the behavior of
your commands, causing them to perform arbitrary SQL statements under
your identity. "SET search_path = ..." and "SELECT
pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one
can use either as the first command of a session. As special
exceptions, the following client applications behave as documented
regardless of search_path settings and schema privileges: clusterdb
createdb createlang createuser dropdb droplang dropuser ecpg (not
programs it generates) initdb oid2name pg_archivecleanup pg_basebackup
pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready
pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby
pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb
vacuumlo. Not included are core client programs that run user-specified
SQL commands, namely psql and pgbench. PostgreSQL encourages non-core
client applications to do likewise.
Document this in the context of libpq connections, psql connections,
dblink connections, ECPG connections, extension packaging, and schema
usage patterns. The principal defense for applications is "SELECT
pg_catalog.set_config('search_path', '', false)", and the principal
defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC".
Either one is sufficient to prevent attack. After a REVOKE, consider
auditing the public schema for objects named like pg_catalog objects.
Authors of SECURITY DEFINER functions use some of the same defenses, and
the CREATE FUNCTION reference page already covered them thoroughly.
This is a good opportunity to audit SECURITY DEFINER functions for
robust security practice.
Back-patch to 9.3 (all supported versions).
Reviewed by Michael Paquier and Jonathan S. Katz. Reported by Arseniy
Sharoglazov.
Security: CVE-2018-1058
210 lines
6.4 KiB
Plaintext
210 lines
6.4 KiB
Plaintext
<!-- doc/src/sgml/contrib.sgml -->
|
|
|
|
<appendix id="contrib">
|
|
<title>Additional Supplied Modules</title>
|
|
|
|
<para>
|
|
This appendix and the next one contain information regarding the modules that
|
|
can be found in the <literal>contrib</literal> directory of the
|
|
<productname>PostgreSQL</productname> distribution.
|
|
These include porting tools, analysis utilities,
|
|
and plug-in features that are not part of the core PostgreSQL system,
|
|
mainly because they address a limited audience or are too experimental
|
|
to be part of the main source tree. This does not preclude their
|
|
usefulness.
|
|
</para>
|
|
|
|
<para>
|
|
This appendix covers extensions and other server plug-in modules found in
|
|
<literal>contrib</literal>. <xref linkend="contrib-prog"/> covers utility
|
|
programs.
|
|
</para>
|
|
|
|
<para>
|
|
When building from the source distribution, these components are not built
|
|
automatically, unless you build the "world" target
|
|
(see <xref linkend="build"/>).
|
|
You can build and install all of them by running:
|
|
<screen>
|
|
<userinput>make</userinput>
|
|
<userinput>make install</userinput>
|
|
</screen>
|
|
in the <literal>contrib</literal> directory of a configured source tree;
|
|
or to build and install
|
|
just one selected module, do the same in that module's subdirectory.
|
|
Many of the modules have regression tests, which can be executed by
|
|
running:
|
|
<screen>
|
|
<userinput>make check</userinput>
|
|
</screen>
|
|
before installation or
|
|
<screen>
|
|
<userinput>make installcheck</userinput>
|
|
</screen>
|
|
once you have a <productname>PostgreSQL</productname> server running.
|
|
</para>
|
|
|
|
<para>
|
|
If you are using a pre-packaged version of <productname>PostgreSQL</productname>,
|
|
these modules are typically made available as a separate subpackage,
|
|
such as <literal>postgresql-contrib</literal>.
|
|
</para>
|
|
|
|
<para>
|
|
Many modules supply new user-defined functions, operators, or types.
|
|
To make use of one of these modules, after you have installed the code
|
|
you need to register the new SQL objects in the database system.
|
|
In <productname>PostgreSQL</productname> 9.1 and later, this is done by executing
|
|
a <xref linkend="sql-createextension"/> command. In a fresh database,
|
|
you can simply do
|
|
|
|
<programlisting>
|
|
CREATE EXTENSION <replaceable>module_name</replaceable>;
|
|
</programlisting>
|
|
|
|
This command must be run by a database superuser. This registers the
|
|
new SQL objects in the current database only, so you need to run this
|
|
command in each database that you want
|
|
the module's facilities to be available in. Alternatively, run it in
|
|
database <literal>template1</literal> so that the extension will be copied into
|
|
subsequently-created databases by default.
|
|
</para>
|
|
|
|
<para>
|
|
Many modules allow you to install their objects in a schema of your
|
|
choice. To do that, add <literal>SCHEMA
|
|
<replaceable>schema_name</replaceable></literal> to the <command>CREATE EXTENSION</command>
|
|
command. By default, the objects will be placed in your current creation
|
|
target schema, which in turn defaults to <literal>public</literal>.
|
|
</para>
|
|
|
|
<para>
|
|
If your database was brought forward by dump and reload from a pre-9.1
|
|
version of <productname>PostgreSQL</productname>, and you had been using the pre-9.1
|
|
version of the module in it, you should instead do
|
|
|
|
<programlisting>
|
|
CREATE EXTENSION <replaceable>module_name</replaceable> FROM unpackaged;
|
|
</programlisting>
|
|
|
|
This will update the pre-9.1 objects of the module into a proper
|
|
<firstterm>extension</firstterm> object. Future updates to the module will be
|
|
managed by <xref linkend="sql-alterextension"/>.
|
|
For more information about extension updates, see
|
|
<xref linkend="extend-extensions"/>.
|
|
</para>
|
|
|
|
<para>
|
|
Note, however, that some of these modules are not <quote>extensions</quote>
|
|
in this sense, but are loaded into the server in some other way, for instance
|
|
by way of
|
|
<xref linkend="guc-shared-preload-libraries"/>. See the documentation of each
|
|
module for details.
|
|
</para>
|
|
|
|
&adminpack;
|
|
&amcheck;
|
|
&auth-delay;
|
|
&auto-explain;
|
|
&bloom;
|
|
&btree-gin;
|
|
&btree-gist;
|
|
&citext;
|
|
&cube;
|
|
&dblink;
|
|
&dict-int;
|
|
&dict-xsyn;
|
|
&earthdistance;
|
|
&file-fdw;
|
|
&fuzzystrmatch;
|
|
&hstore;
|
|
&intagg;
|
|
&intarray;
|
|
&isn;
|
|
&lo;
|
|
<ree;
|
|
&pageinspect;
|
|
&passwordcheck;
|
|
&pgbuffercache;
|
|
&pgcrypto;
|
|
&pgfreespacemap;
|
|
&pgprewarm;
|
|
&pgrowlocks;
|
|
&pgstatstatements;
|
|
&pgstattuple;
|
|
&pgtrgm;
|
|
&pgvisibility;
|
|
&postgres-fdw;
|
|
&seg;
|
|
&sepgsql;
|
|
&contrib-spi;
|
|
&sslinfo;
|
|
&tablefunc;
|
|
&tcn;
|
|
&test-decoding;
|
|
&tsm-system-rows;
|
|
&tsm-system-time;
|
|
&unaccent;
|
|
&uuid-ossp;
|
|
&xml2;
|
|
|
|
</appendix>
|
|
|
|
<!--
|
|
These are two separate appendixes because it is difficult to mix regular
|
|
sections (for extensions) and refentries (for programs) in one chapter or
|
|
appendix. And we do want the programs as refentries so that we can produce man
|
|
pages.
|
|
-->
|
|
|
|
<appendix id="contrib-prog">
|
|
<title>Additional Supplied Programs</title>
|
|
|
|
<para>
|
|
This appendix and the previous one contain information regarding the modules that
|
|
can be found in the <literal>contrib</literal> directory of the
|
|
<productname>PostgreSQL</productname> distribution. See <xref linkend="contrib"/> for
|
|
more information about the <literal>contrib</literal> section in general and
|
|
server extensions and plug-ins found in <literal>contrib</literal>
|
|
specifically.
|
|
</para>
|
|
|
|
<para>
|
|
This appendix covers utility programs found in <literal>contrib</literal>.
|
|
Once installed, either from source or a packaging system, they are found in
|
|
the <filename>bin</filename> directory of the
|
|
<productname>PostgreSQL</productname> installation and can be used like any
|
|
other program.
|
|
</para>
|
|
|
|
<sect1 id="contrib-prog-client">
|
|
<title>Client Applications</title>
|
|
|
|
<para>
|
|
This section covers <productname>PostgreSQL</productname> client
|
|
applications in <literal>contrib</literal>. They can be run from anywhere,
|
|
independent of where the database server resides. See
|
|
also <xref linkend="reference-client"/> for information about client
|
|
applications that part of the core <productname>PostgreSQL</productname>
|
|
distribution.
|
|
</para>
|
|
|
|
&oid2name;
|
|
&vacuumlo;
|
|
</sect1>
|
|
|
|
<sect1 id="contrib-prog-server">
|
|
<title>Server Applications</title>
|
|
|
|
<para>
|
|
This section covers <productname>PostgreSQL</productname> server-related
|
|
applications in <literal>contrib</literal>. They are typically run on the
|
|
host where the database server resides. See also <xref
|
|
linkend="reference-server"/> for information about server applications that
|
|
part of the core <productname>PostgreSQL</productname> distribution.
|
|
</para>
|
|
|
|
&pgstandby;
|
|
</sect1>
|
|
</appendix>
|