NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit1564e92

committed

Require the issuer of CREATE TYPE to own the functions mentioned in the

type definition. Because use of a type's I/O conversion functions isn'taccess-checked, CREATE TYPE amounts to granting public execute permissionson the functions, and so allowing it to anybody means that someone couldtheoretically gain access to a function he's not supposed to be able toexecute. The parameter-type restrictions already enforced by CREATE TYPEmake it fairly unlikely that this oversight is meaningful in practice,but still it seems like a good idea to plug the hole going forward.Also, document the implicit grant just in case anybody gets the idea ofbuilding I/O functions that might need security restrictions.

1 parent4b3252c commit1564e92Copy full SHA for 1564e92

File tree

2 files changed

+37

-2

lines changed

doc/src/sgml/ref
- create_type.sgml
src/backend/commands
- typecmds.c

2 files changed

+37

-2

lines changed

`‎doc/src/sgml/ref/create_type.sgml`

Lines changed: 12 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<!--`
`2`		`-$PostgreSQL: pgsql/doc/src/sgml/ref/create_type.sgml,v 1.59 2005/11/01 21:09:50 tgl Exp $`
	`2`	`+$PostgreSQL: pgsql/doc/src/sgml/ref/create_type.sgml,v 1.60 2006/01/13 18:06:45 tgl Exp $`
`3`	`3`	`PostgreSQL documentation`
`4`	`4`	`-->`
`5`	`5`
`@@ -446,6 +446,17 @@ CREATE TYPE <replaceable class="parameter">name</replaceable> (`
`446`	`446`	`internally-created array type names.`
`447`	`447`	`</para>`
`448`	`448`
	`449`	`+ <para>`
	`450`	`+ Because there are no restrictions on use of a data type once it's been`
	`451`	`+ created, creating a base type is tantamount to granting public execute`
	`452`	`+ permission on the functions mentioned in the type definition. (The creator`
	`453`	`+ of the type is therefore required to own these functions.) This is usually`
	`454`	`+ not an issue for the sorts of functions that are useful in a type`
	`455`	`+ definition. But you might want to think twice before designing a type`
	`456`	`+ in a way that would require <quote>secret</> information to be used`
	`457`	`+ while converting it to or from external form.`
	`458`	`+ </para>`
	`459`	`+`
`449`	`460`	`<para>`
`450`	`461`	`In <productname>PostgreSQL</productname> versions before 7.3, it`
`451`	`462`	`was customary to avoid creating a shell type by replacing the`

`‎src/backend/commands/typecmds.c`

Lines changed: 25 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $PostgreSQL: pgsql/src/backend/commands/typecmds.c,v 1.85 2005/11/22 18:17:09 momjian Exp $`
	`11`	`+ * $PostgreSQL: pgsql/src/backend/commands/typecmds.c,v 1.86 2006/01/13 18:06:45 tgl Exp $`
`12`	`12`	`*`
`13`	`13`	`* DESCRIPTION`
`14`	`14`	`* The "DefineFoo" routines take the parse tree and pick out the`
`@@ -330,6 +330,30 @@ DefineType(List names, List parameters)`
`330`	`330`	`if (analyzeName)`
`331`	`331`	`analyzeOid=findTypeAnalyzeFunction(analyzeName,typoid);`
`332`	`332`
	`333`	`+/*`
	`334`	`+ * Check permissions on functions. We choose to require the creator/owner`
	`335`	`+ * of a type to also own the underlying functions. Since creating a type`
	`336`	`+ * is tantamount to granting public execute access on the functions, the`
	`337`	`+ * minimum sane check would be for execute-with-grant-option. But we don't`
	`338`	`+ * have a way to make the type go away if the grant option is revoked, so`
	`339`	`+ * ownership seems better.`
	`340`	`+ */`
	`341`	`+if (inputOid&& !pg_proc_ownercheck(inputOid,GetUserId()))`
	`342`	`+aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,`
	`343`	`+NameListToString(inputName));`
	`344`	`+if (outputOid&& !pg_proc_ownercheck(outputOid,GetUserId()))`
	`345`	`+aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,`
	`346`	`+NameListToString(outputName));`
	`347`	`+if (receiveOid&& !pg_proc_ownercheck(receiveOid,GetUserId()))`
	`348`	`+aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,`
	`349`	`+NameListToString(receiveName));`
	`350`	`+if (sendOid&& !pg_proc_ownercheck(sendOid,GetUserId()))`
	`351`	`+aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,`
	`352`	`+NameListToString(sendName));`
	`353`	`+if (analyzeOid&& !pg_proc_ownercheck(analyzeOid,GetUserId()))`
	`354`	`+aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,`
	`355`	`+NameListToString(analyzeName));`
	`356`	`+`
`333`	`357`	`/*`
`334`	`358`	`* now have TypeCreate do all the real work.`
`335`	`359`	`*/`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit1564e92

File tree

2 files changed

2 files changed

`‎doc/src/sgml/ref/create_type.sgml`

`‎src/backend/commands/typecmds.c`

0 commit comments