Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit5ecc0d7

Browse files
committed
Restrict lo_import()/lo_export() via SQL permissions not hard-wired checks.
While it's generally unwise to give permissions on these functions toanyone but a superuser, we've been moving away from hard-wired permissionchecks inside functions in favor of using the SQL permission system tocontrol access. Bring lo_import() and lo_export() into compliance withthat approach.In particular, this removes the manual configuration optionALLOW_DANGEROUS_LO_FUNCTIONS. That dates back to 1999 (commit4cd4a54);it's unlikely anyone has used it in many years. Moreover, if you reallywant such behavior, now you can get it with GRANT ... TO PUBLIC instead.Michael PaquierDiscussion:https://postgr.es/m/CAB7nPqRHmNOYbETnc_2EjsuzSM00Z+BWKv9sy6tnvSd5gWT_JA@mail.gmail.com
1 parent6c3a7ba commit5ecc0d7

File tree

6 files changed

+19
-31
lines changed

6 files changed

+19
-31
lines changed

‎src/backend/catalog/system_views.sql

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1115,12 +1115,14 @@ LANGUAGE INTERNAL
11151115
STRICT IMMUTABLE PARALLEL SAFE
11161116
AS'jsonb_insert';
11171117

1118+
--
11181119
-- The default permissions for functions mean that anyone can execute them.
11191120
-- A number of functions shouldn't be executable by just anyone, but rather
11201121
-- than use explicit 'superuser()' checks in those functions, we use the GRANT
11211122
-- system to REVOKE access to those functions at initdb time. Administrators
11221123
-- can later change who can access these functions, or leave them as only
11231124
-- available to superuser / cluster owner, if they choose.
1125+
--
11241126
REVOKE EXECUTEON FUNCTION pg_start_backup(text,boolean,boolean)FROM public;
11251127
REVOKE EXECUTEON FUNCTION pg_stop_backup()FROM public;
11261128
REVOKE EXECUTEON FUNCTION pg_stop_backup(boolean,boolean)FROM public;
@@ -1138,8 +1140,16 @@ REVOKE EXECUTE ON FUNCTION pg_stat_reset_shared(text) FROM public;
11381140
REVOKE EXECUTEON FUNCTION pg_stat_reset_single_table_counters(oid)FROM public;
11391141
REVOKE EXECUTEON FUNCTION pg_stat_reset_single_function_counters(oid)FROM public;
11401142

1143+
REVOKE EXECUTEON FUNCTION lo_import(text)FROM public;
1144+
REVOKE EXECUTEON FUNCTION lo_import(text,oid)FROM public;
1145+
REVOKE EXECUTEON FUNCTION lo_export(oid,text)FROM public;
1146+
11411147
REVOKE EXECUTEON FUNCTION pg_ls_logdir()FROM public;
11421148
REVOKE EXECUTEON FUNCTION pg_ls_waldir()FROM public;
1149+
1150+
--
1151+
-- We also set up some things as accessible to standard roles.
1152+
--
11431153
GRANT EXECUTEON FUNCTION pg_ls_logdir() TO pg_monitor;
11441154
GRANT EXECUTEON FUNCTION pg_ls_waldir() TO pg_monitor;
11451155

‎src/backend/libpq/be-fsstubs.c

Lines changed: 0 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -448,14 +448,6 @@ lo_import_internal(text *filename, Oid lobjOid)
448448
LargeObjectDesc*lobj;
449449
Oidoid;
450450

451-
#ifndefALLOW_DANGEROUS_LO_FUNCTIONS
452-
if (!superuser())
453-
ereport(ERROR,
454-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
455-
errmsg("must be superuser to use server-side lo_import()"),
456-
errhint("Anyone can use the client-side lo_import() provided by libpq.")));
457-
#endif
458-
459451
CreateFSContext();
460452

461453
/*
@@ -514,14 +506,6 @@ be_lo_export(PG_FUNCTION_ARGS)
514506
LargeObjectDesc*lobj;
515507
mode_toumask;
516508

517-
#ifndefALLOW_DANGEROUS_LO_FUNCTIONS
518-
if (!superuser())
519-
ereport(ERROR,
520-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
521-
errmsg("must be superuser to use server-side lo_export()"),
522-
errhint("Anyone can use the client-side lo_export() provided by libpq.")));
523-
#endif
524-
525509
CreateFSContext();
526510

527511
/*

‎src/include/catalog/catversion.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,6 @@
5353
*/
5454

5555
/*yyyymmddN */
56-
#defineCATALOG_VERSION_NO201710161
56+
#defineCATALOG_VERSION_NO201711091
5757

5858
#endif

‎src/include/pg_config_manual.h

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -72,16 +72,6 @@
7272
*/
7373
#defineNUM_ATOMICS_SEMAPHORES64
7474

75-
/*
76-
* Define this if you want to allow the lo_import and lo_export SQL
77-
* functions to be executed by ordinary users. By default these
78-
* functions are only available to the Postgres superuser. CAUTION:
79-
* These functions are SECURITY HOLES since they can read and write
80-
* any file that the PostgreSQL server has permission to access. If
81-
* you turn this on, don't say we didn't warn you.
82-
*/
83-
/* #define ALLOW_DANGEROUS_LO_FUNCTIONS */
84-
8575
/*
8676
* MAXPGPATH: standard size of a pathname buffer in PostgreSQL (hence,
8777
* maximum usable pathname length is one less).

‎src/test/regress/expected/privileges.out

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1358,8 +1358,11 @@ ERROR: permission denied for large object 1002
13581358
SELECT lo_unlink(1002);-- to be denied
13591359
ERROR: must be owner of large object 1002
13601360
SELECT lo_export(1001, '/dev/null');-- to be denied
1361-
ERROR: must be superuser to use server-side lo_export()
1362-
HINT: Anyone can use the client-side lo_export() provided by libpq.
1361+
ERROR: permission denied for function lo_export
1362+
SELECT lo_import('/dev/null');-- to be denied
1363+
ERROR: permission denied for function lo_import
1364+
SELECT lo_import('/dev/null', 2003);-- to be denied
1365+
ERROR: permission denied for function lo_import
13631366
\c -
13641367
SET lo_compat_privileges = true;-- compatibility mode
13651368
SET SESSION AUTHORIZATION regress_user4;
@@ -1388,8 +1391,7 @@ SELECT lo_unlink(1002);
13881391
(1 row)
13891392

13901393
SELECT lo_export(1001, '/dev/null');-- to be denied
1391-
ERROR: must be superuser to use server-side lo_export()
1392-
HINT: Anyone can use the client-side lo_export() provided by libpq.
1394+
ERROR: permission denied for function lo_export
13931395
-- don't allow unpriv users to access pg_largeobject contents
13941396
\c -
13951397
SELECT * FROM pg_largeobject LIMIT 0;

‎src/test/regress/sql/privileges.sql

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -839,6 +839,8 @@ SELECT lo_truncate(lo_open(1002, x'20000'::int), 10);-- to be denied
839839
SELECT lo_put(1002,1,'abcd');-- to be denied
840840
SELECT lo_unlink(1002);-- to be denied
841841
SELECT lo_export(1001,'/dev/null');-- to be denied
842+
SELECT lo_import('/dev/null');-- to be denied
843+
SELECT lo_import('/dev/null',2003);-- to be denied
842844

843845
\c-
844846
SET lo_compat_privileges= true;-- compatibility mode

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp