NotificationsYou must be signed in to change notification settings
Fork4.9k
Star17.7k

Commite6f1e56

committed

Make inherited TRUNCATE perform access permission checks on parent table only.

Previously, TRUNCATE command through a parent table checked thepermissions on not only the parent table but also the children tablesinherited from it. This was a bug and inherited queries should performaccess permission checks on the parent table only. This commit fixesthat bug.Back-patch to all supported branches.Author: Amit LangoteReviewed-by: Fujii MasaoDiscussion:https://postgr.es/m/CAHGQGwFHdSvifhJE+-GSNqUHSfbiKxaeQQ7HGcYz6SC2n_oDcg@mail.gmail.com

1 parentb0afdca commite6f1e56Copy full SHA for e6f1e56

File tree

3 files changed

+60

-7

lines changed

src
- backend/commands
  - tablecmds.c
- test/regress
  - expected
    - privileges.out
  - sql
    - privileges.sql

3 files changed

+60

-7

lines changed

`‎src/backend/commands/tablecmds.c`

Lines changed: 25 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -304,6 +304,7 @@ struct DropRelationCallbackState`
`304`	`304`	`((child_is_partition) ? DEPENDENCY_AUTO : DEPENDENCY_NORMAL)`
`305`	`305`
`306`	`306`	`static void truncate_check_rel(Oid relid, Form_pg_class reltuple);`
	`307`	`+static void truncate_check_perms(Oid relid, Form_pg_class reltuple);`
`307`	`308`	`static void truncate_check_activity(Relation rel);`
`308`	`309`	`static void RangeVarCallbackForTruncate(const RangeVar *relation,`
`309`	`310`	`Oid relId, Oid oldRelId, void *arg);`
`@@ -1615,6 +1616,12 @@ ExecuteTruncate(TruncateStmt *stmt)`
`1615`	`1616`	`continue;`
`1616`	`1617`	`}`
`1617`	`1618`
	`1619`	`+/*`
	`1620`	`+ * Inherited TRUNCATE commands perform access`
	`1621`	`+ * permission checks on the parent table only.`
	`1622`	`+ * So we skip checking the children's permissions`
	`1623`	`+ * and don't call truncate_check_perms() here.`
	`1624`	`+ */`
`1618`	`1625`	`truncate_check_rel(RelationGetRelid(rel), rel->rd_rel);`
`1619`	`1626`	`truncate_check_activity(rel);`
`1620`	`1627`
`@@ -1701,6 +1708,7 @@ ExecuteTruncateGuts(List explicit_rels, List relids, List *relids_logged,`
`1701`	`1708`	`(errmsg("truncate cascades to table \"%s\"",`
`1702`	`1709`	`RelationGetRelationName(rel))));`
`1703`	`1710`	`truncate_check_rel(relid, rel->rd_rel);`
	`1711`	`+truncate_check_perms(relid, rel->rd_rel);`
`1704`	`1712`	`truncate_check_activity(rel);`
`1705`	`1713`	`rels = lappend(rels, rel);`
`1706`	`1714`	`relids = lappend_oid(relids, relid);`
`@@ -1951,7 +1959,6 @@ ExecuteTruncateGuts(List explicit_rels, List relids, List *relids_logged,`
`1951`	`1959`	`static void`
`1952`	`1960`	`truncate_check_rel(Oid relid, Form_pg_class reltuple)`
`1953`	`1961`	`{`
`1954`		`-AclResultaclresult;`
`1955`	`1962`	`char *relname = NameStr(reltuple->relname);`
`1956`	`1963`
`1957`	`1964`	`/*`
`@@ -1965,12 +1972,6 @@ truncate_check_rel(Oid relid, Form_pg_class reltuple)`
`1965`	`1972`	`(errcode(ERRCODE_WRONG_OBJECT_TYPE),`
`1966`	`1973`	`errmsg("\"%s\" is not a table", relname)));`
`1967`	`1974`
`1968`		`-/* Permissions checks */`
`1969`		`-aclresult = pg_class_aclcheck(relid, GetUserId(), ACL_TRUNCATE);`
`1970`		`-if (aclresult != ACLCHECK_OK)`
`1971`		`-aclcheck_error(aclresult, get_relkind_objtype(reltuple->relkind),`
`1972`		`- relname);`
`1973`		`-`
`1974`	`1975`	`if (!allowSystemTableMods && IsSystemClass(relid, reltuple))`
`1975`	`1976`	`ereport(ERROR,`
`1976`	`1977`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`@@ -1980,6 +1981,22 @@ truncate_check_rel(Oid relid, Form_pg_class reltuple)`
`1980`	`1981`	`InvokeObjectTruncateHook(relid);`
`1981`	`1982`	`}`
`1982`	`1983`
	`1984`	`+/*`
	`1985`	`+ * Check that current user has the permission to truncate given relation.`
	`1986`	`+ */`
	`1987`	`+static void`
	`1988`	`+truncate_check_perms(Oid relid, Form_pg_class reltuple)`
	`1989`	`+{`
	`1990`	`+char *relname = NameStr(reltuple->relname);`
	`1991`	`+AclResultaclresult;`
	`1992`	`+`
	`1993`	`+/* Permissions checks */`
	`1994`	`+aclresult = pg_class_aclcheck(relid, GetUserId(), ACL_TRUNCATE);`
	`1995`	`+if (aclresult != ACLCHECK_OK)`
	`1996`	`+aclcheck_error(aclresult, get_relkind_objtype(reltuple->relkind),`
	`1997`	`+ relname);`
	`1998`	`+}`
	`1999`	`+`
`1983`	`2000`	`/*`
`1984`	`2001`	`* Set of extra sanity checks to check if a given relation is safe to`
`1985`	`2002`	`* truncate. This is split with truncate_check_rel() as`
`@@ -15292,6 +15309,7 @@ RangeVarCallbackForTruncate(const RangeVar *relation,`
`15292`	`15309`	`elog(ERROR, "cache lookup failed for relation %u", relId);`
`15293`	`15310`
`15294`	`15311`	`truncate_check_rel(relId, (Form_pg_class) GETSTRUCT(tuple));`
	`15312`	`+truncate_check_perms(relId, (Form_pg_class) GETSTRUCT(tuple));`
`15295`	`15313`
`15296`	`15314`	`ReleaseSysCache(tuple);`
`15297`	`15315`	`}`

`‎src/test/regress/expected/privileges.out`

Lines changed: 21 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -695,6 +695,27 @@ SELECT tableoid FROM atestp2; -- ok`
`695`	`695`	`----------`
`696`	`696`	`(0 rows)`
`697`	`697`
	`698`	`+-- child's permissions do not apply when operating on parent`
	`699`	`+SET SESSION AUTHORIZATION regress_priv_user1;`
	`700`	`+REVOKE ALL ON atestc FROM regress_priv_user2;`
	`701`	`+GRANT ALL ON atestp1 TO regress_priv_user2;`
	`702`	`+SET SESSION AUTHORIZATION regress_priv_user2;`
	`703`	`+SELECT f2 FROM atestp1; -- ok`
	`704`	`+ f2`
	`705`	`+----`
	`706`	`+(0 rows)`
	`707`	`+`
	`708`	`+SELECT f2 FROM atestc; -- fail`
	`709`	`+ERROR: permission denied for table atestc`
	`710`	`+DELETE FROM atestp1; -- ok`
	`711`	`+DELETE FROM atestc; -- fail`
	`712`	`+ERROR: permission denied for table atestc`
	`713`	`+UPDATE atestp1 SET f1 = 1; -- ok`
	`714`	`+UPDATE atestc SET f1 = 1; -- fail`
	`715`	`+ERROR: permission denied for table atestc`
	`716`	`+TRUNCATE atestp1; -- ok`
	`717`	`+TRUNCATE atestc; -- fail`
	`718`	`+ERROR: permission denied for table atestc`
`698`	`719`	`-- privileges on functions, languages`
`699`	`720`	`-- switch to superuser`
`700`	`721`	`\c -`

`‎src/test/regress/sql/privileges.sql`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -446,6 +446,20 @@ SELECT fy FROM atestp2; -- ok`
`446`	`446`	`SELECT atestp2FROM atestp2;-- ok`
`447`	`447`	`SELECT tableoidFROM atestp2;-- ok`
`448`	`448`
	`449`	`+-- child's permissions do not apply when operating on parent`
	`450`	`+SET SESSION AUTHORIZATION regress_priv_user1;`
	`451`	`+REVOKE ALLON atestcFROM regress_priv_user2;`
	`452`	`+GRANT ALLON atestp1 TO regress_priv_user2;`
	`453`	`+SET SESSION AUTHORIZATION regress_priv_user2;`
	`454`	`+SELECT f2FROM atestp1;-- ok`
	`455`	`+SELECT f2FROM atestc;-- fail`
	`456`	`+DELETEFROM atestp1;-- ok`
	`457`	`+DELETEFROM atestc;-- fail`
	`458`	`+UPDATE atestp1SET f1=1;-- ok`
	`459`	`+UPDATE atestcSET f1=1;-- fail`
	`460`	`+TRUNCATE atestp1;-- ok`
	`461`	`+TRUNCATE atestc;-- fail`
	`462`	`+`
`449`	`463`	`-- privileges on functions, languages`
`450`	`464`
`451`	`465`	`-- switch to superuser`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite6f1e56

File tree

3 files changed

3 files changed

`‎src/backend/commands/tablecmds.c`

`‎src/test/regress/expected/privileges.out`

`‎src/test/regress/sql/privileges.sql`

0 commit comments