forked frompostgres/postgres
- Notifications
You must be signed in to change notification settings - Fork6
Commit48a257d
committed
Make ALTER DEFAULT PRIVILEGES require privileges, not membership.
If role A is a direct or indirect member of role B but does not inheritB's privileges (because at least one relevant grant was created WITHINHERIT FALSE) then A should not be permitted to bypass privilegechecks that require the privileges of B. For example, A can't changethe privileges of objects owned by B, nor can A drop those objects.However, up until now, it's been possible for A to change defaultprivileges for role B. That doesn't seem to be correct, because anon-inherited role grant is only supposed to permit you to assumethe identity of the granted role via SET ROLE, and should nototherwise permit you to exercise the privileges of that role. Mostplaces followed that rule, but this case was an exception.This could be construed as a security vulnerability, but it does notseem entirely clear cut, since older branches were fuzzy about thedistinction between is_member_of_role() and has_privs_of_role() ina number of other ways as well. Because of this, and becauseuser-visible behavior changes in minor releases are to be avoidedwhenever possible, no back-patch.Discussion:http://postgr.es/m/CA+TgmobG_YUP06R_PM_2Z7wR0qv_52gQPHD8CYXbJva0cf0E+A@mail.gmail.com1 parentebfb814 commit48a257d
1 file changed
+4
-7
lines changedLines changed: 4 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1117 | 1117 | | |
1118 | 1118 | | |
1119 | 1119 | | |
1120 | | - | |
1121 | | - | |
1122 | | - | |
1123 | | - | |
1124 | | - | |
1125 | | - | |
1126 | | - | |
| 1120 | + | |
| 1121 | + | |
| 1122 | + | |
| 1123 | + | |
1127 | 1124 | | |
1128 | 1125 | | |
1129 | 1126 | | |
| |||
0 commit comments
Comments
(0)