List*other_options=NIL;

ListCell*cell;

if (catalog==ForeignTableRelationId&& !superuser())

ereport(ERROR,

(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),

errmsg("only superuser can change options of a file_fdw foreign table")));

ereport(ERROR,

(errcode(ERRCODE_SYNTAX_ERROR),

errmsg("conflicting or redundant options")));

if (strcmp(def->defname,"filename")==0&&

!is_member_of_role(GetUserId(),DEFAULT_ROLE_READ_SERVER_FILES))

ereport(ERROR,

(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),

errmsg("only superuser or a member of the pg_read_server_files role may specify the filename option of a file_fdw foreign table")));

if (strcmp(def->defname,"program")==0&&

!is_member_of_role(GetUserId(),DEFAULT_ROLE_EXECUTE_SERVER_PROGRAM))

ereport(ERROR,

(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),

errmsg("only superuser or a member of the pg_execute_server_program role may specify the program option of a file_fdw foreign table")));

filename=defGetString(def);

}

ALTER FOREIGN TABLE agg_text OPTIONS (SET format 'text');

SET ROLE regress_file_fdw_user;

ALTER FOREIGN TABLE agg_text OPTIONS (SET format 'text');

ERROR: only superusercan change options of a file_fdw foreign table

ERROR: only superuseror a member of the pg_read_server_files role may specify the filename option of a file_fdw foreign table

SET ROLE regress_file_fdw_superuser;

-- cleanup

RESET ROLE;

</para>

<para>

Changing table-level options requires superuser privileges, for security

reasons: only a superuser should be able to control which file is read

or which program is run. In principle non-superusers could be allowed to

Changing table-level options requires being a superuser or having the privileges

of the default role <literal>pg_read_server_files</literal> (to use a filename) or

the default role <literal>pg_execute_server_programs</literal> (to use a program),

for security reasons: only certain users should be able to control which file is

read or which program is run. In principle regular users could be allowed to

change the other options, but that's not supported at present.

</para>

linkend="functions-admin-genfile-table"/> provide native access to

files on the machine hosting the server. Only files within the

database cluster directory and the <varname>log_directory</varname> can be

accessed. Use a relative path for files in the cluster directory,

and a path matching the <varname>log_directory</varname> configuration setting

for log files. Use of these functions is restricted to superusers

except where stated otherwise.

accessed unless the user is granted the role

<literal>pg_read_server_files</literal>. Use a relative path for files in

the cluster directory, and a path matching the <varname>log_directory</varname>

configuration setting for log files.

</para>

<para>

Note that granting users the EXECUTE privilege on the

<function>pg_read_file()</function>, or related, functions allows them the

ability to read any file on the server which the database can read and

that those reads bypass all in-database privilege checks. This means that,

among other things, a user with this access is able to read the contents of the

<literal>pg_authid</literal> table where authentication information is contained,

as well as read any file in the database. Therefore, granting access to these

functions should be carefully considered.

</para>

<table id="functions-admin-genfile-table">

</entry>

<entry><type>setof text</type></entry>

<entry>

List the contents of a directory.

List the contents of a directory. Restricted to superusers by default, but other users can be granted EXECUTE to run the function.

</entry>

</row>

<row>

</entry>

<entry><type>text</type></entry>

<entry>

Return the contents of a text file.

Return the contents of a text file. Restricted to superusers by default, but other users can be granted EXECUTE to run the function.

</entry>

</row>

<row>

</entry>

<entry><type>bytea</type></entry>

<entry>

Return the contents of a file.

Return the contents of a file. Restricted to superusers by default, but other users can be granted EXECUTE to run the function.

</entry>

</row>

<row>

</entry>

<entry><type>record</type></entry>

<entry>

Return information about a file.

Return information about a file. Restricted to superusers by default, but other users can be granted EXECUTE to run the function.

</entry>

</row>

</tbody>

by the server, not by the client application, must be executable by the

<productname>PostgreSQL</productname> user.

<command>COPY</command> naming a file or command is only allowed to

database superusers, since it allows reading or writing any file that the

server has privileges to access.

database superusers or users who are granted one of the default roles

<literal>pg_read_server_files</literal>,

<literal>pg_write_server_files</literal>,

or <literal>pg_execute_server_program</literal>, since it allows reading

or writing any file or running a program that the server has privileges to

access.

</para>

<para>

<entry>pg_signal_backend</entry>

<entry>Send signals to other backends (eg: cancel query, terminate).</entry>

</row>

<row>

<entry>pg_read_server_files</entry>

<entry>Allow reading files from any location the database can access on the server with COPY and

other file-access functions.</entry>

</row>

<row>

<entry>pg_write_server_files</entry>

<entry>Allow writing to files in any location the database can access on the server with COPY and

other file-access functions.</entry>

</row>

<row>

<entry>pg_execute_server_program</entry>

<entry>Allow executing programs on the database server as the user the database runs as with

COPY and other functions which allow executing a server-side program.</entry>

</row>

<row>

<entry>pg_monitor</entry>

<entry>Read/execute various monitoring views and functions.

</tgroup>

</table>

<para>

The <literal>pg_read_server_files</literal>, <literal>pg_write_server_files</literal> and

<literal>pg_execute_server_program</literal> roles are intended to allow administrators to have

trusted, but non-superuser, roles which are able to access files and run programs on the

database server as the user the database runs as. As these roles are able to access any file on

the server filesystem, they bypass all database-level permission checks when accessing files

directly and they could be used to gain superuser-level access, therefore care should be taken

when granting these roles to users.

</para>

<para>

The <literal>pg_monitor</literal>, <literal>pg_read_all_settings</literal>,

<literal>pg_read_all_stats</literal> and <literal>pg_stat_scan_tables</literal>

<para>

Care should be taken when granting these roles to ensure they are only used where

needed to perform the desired monitoring.

needed and with the understanding that these roles grant access to privileged

information.

</para>

<para>

Oidrelid;

RawStmt*query=NULL;

if (!pipe&& !superuser())

if (!pipe)

{

if (stmt->is_program)

ereport(ERROR,

(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),

errmsg("must be superuser to COPY to or from an external program"),

errhint("Anyone can COPY to stdout or from stdin. "

"psql's \\copy command also works for anyone.")));

{

if (!is_member_of_role(GetUserId(),DEFAULT_ROLE_EXECUTE_SERVER_PROGRAM))

ereport(ERROR,

(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),

errmsg("must be superuser or a member of the pg_execute_server_program role to COPY to or from an external program"),

errhint("Anyone can COPY to stdout or from stdin. "

"psql's \\copy command also works for anyone.")));

}

ereport(ERROR,

(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),

errmsg("must be superuser to COPY to or from a file"),

errhint("Anyone can COPY to stdout or from stdin. "

"psql's \\copy command also works for anyone.")));

{

if (is_from&& !is_member_of_role(GetUserId(),DEFAULT_ROLE_READ_SERVER_FILES))

ereport(ERROR,

(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),

errmsg("must be superuser or a member of the pg_read_server_files role to COPY from a file"),

errhint("Anyone can COPY to stdout or from stdin. "

"psql's \\copy command also works for anyone.")));

if (!is_from&& !is_member_of_role(GetUserId(),DEFAULT_ROLE_WRITE_SERVER_FILES))

ereport(ERROR,

(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),

errmsg("must be superuser or a member of the pg_write_server_files role to COPY to a file"),

errhint("Anyone can COPY to stdout or from stdin. "

"psql's \\copy command also works for anyone.")));

}

}

if (stmt->relation)

convert_and_check_filename(text*arg)

filename=text_to_cstring(arg);

canonicalize_path(filename);/* filename can change length here */

if (is_member_of_role(GetUserId(),DEFAULT_ROLE_READ_SERVER_FILES))

returnfilename;

if (is_absolute_path(filename))

{

#defineDEFAULT_ROLE_READ_ALL_STATS 3375

DATA(insertOID=3377 ("pg_stat_scan_tables"ftfffff-1_null__null_));

#defineDEFAULT_ROLE_STAT_SCAN_TABLES3377

DATA(insertOID=4569 ("pg_read_server_files"ftfffff-1_null__null_));

#defineDEFAULT_ROLE_READ_SERVER_FILES4569

DATA(insertOID=4570 ("pg_write_server_files"ftfffff-1_null__null_));

#defineDEFAULT_ROLE_WRITE_SERVER_FILES4570

DATA(insertOID=4571 ("pg_execute_server_program"ftfffff-1_null__null_));

#defineDEFAULT_ROLE_EXECUTE_SERVER_PROGRAM4571

DATA(insertOID=4200 ("pg_signal_backend"ftfffff-1_null__null_));

#defineDEFAULT_ROLE_SIGNAL_BACKENDID4200