Re: Nasty security bug with clustering

Christopher Kings-Lynne <chriskl@familyhealth.com.au> writes:
>> No check is performed for being a superuser, the table owner or that it 
>> is a system table when marking an index for clustering:

> I'm about to submit my SET WITHOUT CLUSTER patch, so I'll fix this bug 
> in that.

I'm in the middle of reviewing (read whacking around) Rod Taylor's patch
for multiple operations in ALTER TABLE, so I'm afraid that no patch in
the same area is likely to apply cleanly after the dust settles :-(

I had noted the lack of permissions checks in CLUSTER ON (it's fairly
glaring in the reorganized code) and planned to fix it along with what
I was doing.
        regards, tom lane