Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commit136f87e

Browse files
committed
Allow users with BYPASSRLS to alter their own passwords.
The intention in commit491c029 was to require superuserness tochange the BYPASSRLS property, but the actual effect of the codingin AlterRole() was to require superuserness to change anything at allabout a BYPASSRLS role. Other properties of a BYPASSRLS role shouldbe changeable under the same rules as for a normal role, though.Fix that, and also take care of some documentation omissions relatedto BYPASSRLS and REPLICATION role properties.Tom Lane and Stephen Frost, per bug report from Wolfgang Walther.Back-patch to all supported branches.Discussion:https://postgr.es/m/a5548a9f-89ee-3167-129d-162b5985fcf8@technowledgy.de
1 parentd3befe9 commit136f87e

File tree

3 files changed

+18
-7
lines changed

3 files changed

+18
-7
lines changed

‎doc/src/sgml/ref/alter_role.sgml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
7070
Attributes not mentioned in the command retain their previous settings.
7171
Database superusers can change any of these settings for any role.
7272
Roles having <literal>CREATEROLE</literal> privilege can change any of these
73-
settings, but only for non-superuser and non-replication roles.
73+
settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
74+
and <literal>BYPASSRLS</literal>; but only for non-superuser and
75+
non-replication roles.
7476
Ordinary roles can only change their own password.
7577
</para>
7678

‎doc/src/sgml/ref/create_role.sgml

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -181,6 +181,8 @@ in sync when changing the above synopsis!
181181
highly privileged role, and should only be used on roles actually
182182
used for replication. If not specified,
183183
<literal>NOREPLICATION</literal> is the default.
184+
You must be a superuser to create a new role having the
185+
<literal>REPLICATION</literal> attribute.
184186
</para>
185187
</listitem>
186188
</varlistentry>
@@ -192,11 +194,16 @@ in sync when changing the above synopsis!
192194
<para>
193195
These clauses determine whether a role bypasses every row-level
194196
security (RLS) policy. <literal>NOBYPASSRLS</literal> is the default.
197+
You must be a superuser to create a new role having
198+
the <literal>BYPASSRLS</literal> attribute.
199+
</para>
200+
201+
<para>
195202
Note that pg_dump will set <literal>row_security</literal> to
196203
<literal>OFF</literal> by default, to ensure all contents of a table are
197204
dumped out. If the user running pg_dump does not have appropriate
198-
permissions, an error will be returned.The superuser and owner of the
199-
table being dumped always bypass RLS.
205+
permissions, an error will be returned.However, superusers and the
206+
owner of thetable being dumped always bypass RLS.
200207
</para>
201208
</listitem>
202209
</varlistentry>

‎src/backend/commands/user.c

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -709,8 +709,10 @@ AlterRole(AlterRoleStmt *stmt)
709709
roleid=authform->oid;
710710

711711
/*
712-
* To mess with a superuser you gotta be superuser; else you need
713-
* createrole, or just want to change your own password
712+
* To mess with a superuser or replication role in any way you gotta be
713+
* superuser. We also insist on superuser to change the BYPASSRLS
714+
* property. Otherwise, if you don't have createrole, you're only allowed
715+
* to change your own password.
714716
*/
715717
if (authform->rolsuper||issuper >=0)
716718
{
@@ -726,7 +728,7 @@ AlterRole(AlterRoleStmt *stmt)
726728
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
727729
errmsg("must be superuser to alter replication users")));
728730
}
729-
elseif (authform->rolbypassrls||bypassrls >=0)
731+
elseif (bypassrls >=0)
730732
{
731733
if (!superuser())
732734
ereport(ERROR,
@@ -735,11 +737,11 @@ AlterRole(AlterRoleStmt *stmt)
735737
}
736738
elseif (!have_createrole_privilege())
737739
{
740+
/* We already checked issuper, isreplication, and bypassrls */
738741
if (!(inherit<0&&
739742
createrole<0&&
740743
createdb<0&&
741744
canlogin<0&&
742-
isreplication<0&&
743745
!dconnlimit&&
744746
!rolemembers&&
745747
!validUntil&&

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp