NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit136f87e

committed

Allow users with BYPASSRLS to alter their own passwords.

The intention in commit491c029 was to require superuserness tochange the BYPASSRLS property, but the actual effect of the codingin AlterRole() was to require superuserness to change anything at allabout a BYPASSRLS role. Other properties of a BYPASSRLS role shouldbe changeable under the same rules as for a normal role, though.Fix that, and also take care of some documentation omissions relatedto BYPASSRLS and REPLICATION role properties.Tom Lane and Stephen Frost, per bug report from Wolfgang Walther.Back-patch to all supported branches.Discussion:https://postgr.es/m/a5548a9f-89ee-3167-129d-162b5985fcf8@technowledgy.de

1 parentd3befe9 commit136f87eCopy full SHA for 136f87e

File tree

3 files changed

+18

-7

lines changed

doc/src/sgml/ref
- alter_role.sgml
- create_role.sgml
src/backend/commands
- user.c

3 files changed

+18

-7

lines changed

`‎doc/src/sgml/ref/alter_role.sgml`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> \| A`
`70`	`70`	`Attributes not mentioned in the command retain their previous settings.`
`71`	`71`	`Database superusers can change any of these settings for any role.`
`72`	`72`	`Roles having <literal>CREATEROLE</literal> privilege can change any of these`
`73`		`- settings, but only for non-superuser and non-replication roles.`
	`73`	`+ settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,`
	`74`	`+ and <literal>BYPASSRLS</literal>; but only for non-superuser and`
	`75`	`+ non-replication roles.`
`74`	`76`	`Ordinary roles can only change their own password.`
`75`	`77`	`</para>`
`76`	`78`

`‎doc/src/sgml/ref/create_role.sgml`

Lines changed: 9 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -181,6 +181,8 @@ in sync when changing the above synopsis!`
`181`	`181`	`highly privileged role, and should only be used on roles actually`
`182`	`182`	`used for replication. If not specified,`
`183`	`183`	`<literal>NOREPLICATION</literal> is the default.`
	`184`	`+ You must be a superuser to create a new role having the`
	`185`	`+ <literal>REPLICATION</literal> attribute.`
`184`	`186`	`</para>`
`185`	`187`	`</listitem>`
`186`	`188`	`</varlistentry>`
`@@ -192,11 +194,16 @@ in sync when changing the above synopsis!`
`192`	`194`	`<para>`
`193`	`195`	`These clauses determine whether a role bypasses every row-level`
`194`	`196`	`security (RLS) policy. <literal>NOBYPASSRLS</literal> is the default.`
	`197`	`+ You must be a superuser to create a new role having`
	`198`	`+ the <literal>BYPASSRLS</literal> attribute.`
	`199`	`+ </para>`
	`200`	`+`
	`201`	`+ <para>`
`195`	`202`	`Note that pg_dump will set <literal>row_security</literal> to`
`196`	`203`	`<literal>OFF</literal> by default, to ensure all contents of a table are`
`197`	`204`	`dumped out. If the user running pg_dump does not have appropriate`
`198`		`- permissions, an error will be returned.The superuser and owner of the`
`199`		`- table being dumped always bypass RLS.`
	`205`	`+ permissions, an error will be returned.However, superusers and the`
	`206`	`+owner of thetable being dumped always bypass RLS.`
`200`	`207`	`</para>`
`201`	`208`	`</listitem>`
`202`	`209`	`</varlistentry>`

`‎src/backend/commands/user.c`

Lines changed: 6 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -709,8 +709,10 @@ AlterRole(AlterRoleStmt *stmt)`
`709`	`709`	`roleid=authform->oid;`
`710`	`710`
`711`	`711`	`/*`
`712`		`- * To mess with a superuser you gotta be superuser; else you need`
`713`		`- * createrole, or just want to change your own password`
	`712`	`+ * To mess with a superuser or replication role in any way you gotta be`
	`713`	`+ * superuser. We also insist on superuser to change the BYPASSRLS`
	`714`	`+ * property. Otherwise, if you don't have createrole, you're only allowed`
	`715`	`+ * to change your own password.`
`714`	`716`	`*/`
`715`	`717`	`if (authform->rolsuper\|\|issuper >=0)`
`716`	`718`	`{`
`@@ -726,7 +728,7 @@ AlterRole(AlterRoleStmt *stmt)`
`726`	`728`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`727`	`729`	`errmsg("must be superuser to alter replication users")));`
`728`	`730`	`}`
`729`		`-elseif (authform->rolbypassrls\|\|bypassrls >=0)`
	`731`	`+elseif (bypassrls >=0)`
`730`	`732`	`{`
`731`	`733`	`if (!superuser())`
`732`	`734`	`ereport(ERROR,`
`@@ -735,11 +737,11 @@ AlterRole(AlterRoleStmt *stmt)`
`735`	`737`	`}`
`736`	`738`	`elseif (!have_createrole_privilege())`
`737`	`739`	`{`
	`740`	`+/* We already checked issuper, isreplication, and bypassrls */`
`738`	`741`	`if (!(inherit<0&&`
`739`	`742`	`createrole<0&&`
`740`	`743`	`createdb<0&&`
`741`	`744`	`canlogin<0&&`
`742`		`-isreplication<0&&`
`743`	`745`	`!dconnlimit&&`
`744`	`746`	`!rolemembers&&`
`745`	`747`	`!validUntil&&`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit136f87e

File tree

3 files changed

3 files changed

`‎doc/src/sgml/ref/alter_role.sgml`

`‎doc/src/sgml/ref/create_role.sgml`

`‎src/backend/commands/user.c`

0 commit comments