NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit6198420

committed

Use has_privs_for_roles for predefined role checks

Generally if a role is granted membership to another role with NOINHERITthey must use SET ROLE to access the privileges of that role, howeverwith predefined roles the membership and privilege is conflated. Fix thatby replacing is_member_of_role with has_privs_for_role for predefinedroles. Patch does not remove is_member_of_role from acl.h, but it doesadd a warning not to use that function for privilege checking. Notbackpatched based on hackers list discussion.Author: Joshua BrindleReviewed-by: Stephen Frost, Nathan Bossart, Joe ConwayDiscussion:https://postgr.es/m/flat/CAGB+Vh4Zv_TvKt2tv3QNS6tUM_F_9icmuj0zjywwcgVi4PAhFA@mail.gmail.com

1 parent79de984 commit6198420Copy full SHA for 6198420

File tree

23 files changed

+68

-64

lines changed

contrib
- adminpack
  - adminpack.c
- file_fdw
  - expected
    - file_fdw.out
  - file_fdw.c
- pg_stat_statements
  - pg_stat_statements.c
- pgrowlocks
  - pgrowlocks.c
doc/src/sgml
src
- backend
  - commands
    - copy.c
  - replication
    - walreceiver.c
    - walsender.c
  - utils
    - adt
    - misc
      - guc.c
- test/modules/unsafe_tests/expected
  - rolenames.out

23 files changed

+68

-64

lines changed

`‎contrib/adminpack/adminpack.c‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ convert_and_check_filename(text *arg)`
`79`	`79`	`* files on the server as the PG user, so no need to do any further checks`
`80`	`80`	`* here.`
`81`	`81`	`*/`
`82`		`-if (is_member_of_role(GetUserId(),ROLE_PG_WRITE_SERVER_FILES))`
	`82`	`+if (has_privs_of_role(GetUserId(),ROLE_PG_WRITE_SERVER_FILES))`
`83`	`83`	`returnfilename;`
`84`	`84`
`85`	`85`	`/*`

`‎contrib/file_fdw/expected/file_fdw.out‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -459,7 +459,7 @@ ALTER FOREIGN TABLE agg_text OWNER TO regress_file_fdw_user;`
`459`	`459`	`ALTER FOREIGN TABLE agg_text OPTIONS (SET format 'text');`
`460`	`460`	`SET ROLE regress_file_fdw_user;`
`461`	`461`	`ALTER FOREIGN TABLE agg_text OPTIONS (SET format 'text');`
`462`		`-ERROR: only superuser or amember of the pg_read_server_files role may specify the filename option of a file_fdw foreign table`
	`462`	`+ERROR: only superuser or arole with privileges of the pg_read_server_files role may specify the filename option of a file_fdw foreign table`
`463`	`463`	`SET ROLE regress_file_fdw_superuser;`
`464`	`464`	`-- cleanup`
`465`	`465`	`RESET ROLE;`

`‎contrib/file_fdw/file_fdw.c‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -269,16 +269,16 @@ file_fdw_validator(PG_FUNCTION_ARGS)`
`269`	`269`	`* otherwise there'd still be a security hole.`
`270`	`270`	`*/`
`271`	`271`	`if (strcmp(def->defname,"filename")==0&&`
`272`		`-!is_member_of_role(GetUserId(),ROLE_PG_READ_SERVER_FILES))`
	`272`	`+!has_privs_of_role(GetUserId(),ROLE_PG_READ_SERVER_FILES))`
`273`	`273`	`ereport(ERROR,`
`274`	`274`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`275`		`-errmsg("only superuser or amember of the pg_read_server_files role may specify the filename option of a file_fdw foreign table")));`
	`275`	`+errmsg("only superuser or arole with privileges of the pg_read_server_files role may specify the filename option of a file_fdw foreign table")));`
`276`	`276`
`277`	`277`	`if (strcmp(def->defname,"program")==0&&`
`278`		`-!is_member_of_role(GetUserId(),ROLE_PG_EXECUTE_SERVER_PROGRAM))`
	`278`	`+!has_privs_of_role(GetUserId(),ROLE_PG_EXECUTE_SERVER_PROGRAM))`
`279`	`279`	`ereport(ERROR,`
`280`	`280`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`281`		`-errmsg("only superuser or amember of the pg_execute_server_program role may specify the program option of a file_fdw foreign table")));`
	`281`	`+errmsg("only superuser or arole with privileges of the pg_execute_server_program role may specify the program option of a file_fdw foreign table")));`
`282`	`282`
`283`	`283`	`filename=defGetString(def);`
`284`	`284`	`}`

`‎contrib/pg_stat_statements/pg_stat_statements.c‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1503,8 +1503,8 @@ pg_stat_statements_internal(FunctionCallInfo fcinfo,`
`1503`	`1503`	`HASH_SEQ_STATUShash_seq;`
`1504`	`1504`	`pgssEntry*entry;`
`1505`	`1505`
`1506`		`-/* Superusers ormembers of pg_read_all_stats members are allowed */`
`1507`		`-is_allowed_role=is_member_of_role(userid,ROLE_PG_READ_ALL_STATS);`
	`1506`	`+/* Superusers orroles with the privileges of pg_read_all_stats members are allowed */`
	`1507`	`+is_allowed_role=has_privs_of_role(userid,ROLE_PG_READ_ALL_STATS);`
`1508`	`1508`
`1509`	`1509`	`/* hash table must exist already */`
`1510`	`1510`	`if (!pgss\|\| !pgss_hash)`

`‎contrib/pgrowlocks/pgrowlocks.c‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ pgrowlocks(PG_FUNCTION_ARGS)`
`104`	`104`	`aclresult=pg_class_aclcheck(RelationGetRelid(rel),GetUserId(),`
`105`	`105`	`ACL_SELECT);`
`106`	`106`	`if (aclresult!=ACLCHECK_OK)`
`107`		`-aclresult=is_member_of_role(GetUserId(),ROLE_PG_STAT_SCAN_TABLES) ?ACLCHECK_OK :ACLCHECK_NO_PRIV;`
	`107`	`+aclresult=has_privs_of_role(GetUserId(),ROLE_PG_STAT_SCAN_TABLES) ?ACLCHECK_OK :ACLCHECK_NO_PRIV;`
`108`	`108`
`109`	`109`	`if (aclresult!=ACLCHECK_OK)`
`110`	`110`	`aclcheck_error(aclresult,get_relkind_objtype(rel->rd_rel->relkind),`

`‎doc/src/sgml/adminpack.sgml‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,9 +22,9 @@`
`22`	`22`	`functions in <xref linkend="functions-admin-genfile-table"/>, which`
`23`	`23`	`provide read-only access.)`
`24`	`24`	`Only files within the database cluster directory can be accessed, unless the`
`25`		`- user is a superuser or given one of the pg_read_server_files,or pg_write_server_files`
`26`		`- roles, as appropriate for the function, but either a relative or absolute path is`
`27`		`- allowable.`
	`25`	`+ user is a superuser or givenprivileges ofone of the pg_read_server_files,`
	`26`	`+or pg_write_server_filesroles, as appropriate for the function, but either a`
	`27`	`+relative or absolute path isallowable.`
`28`	`28`	`</para>`
`29`	`29`
`30`	`30`	`<table id="functions-adminpack-table">`

`‎doc/src/sgml/catalogs.sgml‎`

Lines changed: 6 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -10044,8 +10044,8 @@ SCRAM-SHA-256$<replaceable><iteration count></replaceable>:<replaceable>&l`
`10044`	`10044`
`10045`	`10045`	`<para>`
`10046`	`10046`	`By default, the <structname>pg_backend_memory_contexts</structname> view can be`
`10047`		`- read only by superusers ormembers of the<literal>pg_read_all_stats</literal>`
`10048`		`- role.`
	`10047`	`+ read only by superusers orroles with theprivileges of the`
	`10048`	`+<literal>pg_read_all_stats</literal>role.`
`10049`	`10049`	`</para>`
`10050`	`10050`	`</sect1>`
`10051`	`10051`
`@@ -12552,7 +12552,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx`
`12552`	`12552`	`<para>`
`12553`	`12553`	`Configuration file the current value was set in (null for`
`12554`	`12554`	`values set from sources other than configuration files, or when`
`12555`		`- examined by a user whoisneither a superuseror a member of`
	`12555`	`+ examined by a user who neitherisa superusernor has privileges of`
`12556`	`12556`	`<literal>pg_read_all_settings</literal>); helpful when using`
`12557`	`12557`	`<literal>include</literal> directives in configuration files`
`12558`	`12558`	`</para></entry>`
`@@ -12565,7 +12565,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx`
`12565`	`12565`	`<para>`
`12566`	`12566`	`Line number within the configuration file the current value was`
`12567`	`12567`	`set at (null for values set from sources other than configuration files,`
`12568`		`- or when examined by a user whoisneither a superuseror a member of`
	`12568`	`+ or when examined by a user who neitherisa superusernor has privileges of`
`12569`	`12569`	`<literal>pg_read_all_settings</literal>).`
`12570`	`12570`	`</para></entry>`
`12571`	`12571`	`</row>`
`@@ -12941,8 +12941,8 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx`
`12941`	`12941`
`12942`	`12942`	`<para>`
`12943`	`12943`	`By default, the <structname>pg_shmem_allocations</structname> view can be`
`12944`		`- read only by superusers ormembersof the <literal>pg_read_all_stats</literal>`
`12945`		`- role.`
	`12944`	`+ read only by superusers orroles with privilegesof the`
	`12945`	`+<literal>pg_read_all_stats</literal>role.`
`12946`	`12946`	`</para>`
`12947`	`12947`	`</sect1>`
`12948`	`12948`

`‎doc/src/sgml/func.sgml‎`

Lines changed: 6 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -25435,7 +25435,7 @@ SELECT collation for ('foo' COLLATE "de_DE");`
`25435`	`25435`	`Cancels the current query of the session whose backend process has the`
`25436`	`25436`	`specified process ID. This is also allowed if the`
`25437`	`25437`	`calling role is a member of the role whose backend is being canceled or`
`25438`		`- the calling role hasbeen granted <literal>pg_signal_backend</literal>,`
	`25438`	`+ the calling role hasprivileges of <literal>pg_signal_backend</literal>,`
`25439`	`25439`	`however only superusers can cancel superuser backends.`
`25440`	`25440`	`</para></entry>`
`25441`	`25441`	`</row>`
`@@ -25508,7 +25508,7 @@ SELECT collation for ('foo' COLLATE "de_DE");`
`25508`	`25508`	`Terminates the session whose backend process has the`
`25509`	`25509`	`specified process ID. This is also allowed if the calling role`
`25510`	`25510`	`is a member of the role whose backend is being terminated or the`
`25511`		`- calling role hasbeen granted <literal>pg_signal_backend</literal>,`
	`25511`	`+ calling role hasprivileges of <literal>pg_signal_backend</literal>,`
`25512`	`25512`	`however only superusers can terminate superuser backends.`
`25513`	`25513`	`</para>`
`25514`	`25514`	`<para>`
`@@ -26783,7 +26783,7 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());`
`26783`	`26783`	`Computes the total disk space used by the database with the specified`
`26784`	`26784`	`name or OID. To use this function, you must`
`26785`	`26785`	`have <literal>CONNECT</literal> privilege on the specified database`
`26786`		`- (which is granted by default) orbe a member of`
	`26786`	`+ (which is granted by default) orhave privileges of`
`26787`	`26787`	`the <literal>pg_read_all_stats</literal> role.`
`26788`	`26788`	`</para></entry>`
`26789`	`26789`	`</row>`
`@@ -26913,7 +26913,7 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());`
`26913`	`26913`	`Computes the total disk space used in the tablespace with the`
`26914`	`26914`	`specified name or OID. To use this function, you must`
`26915`	`26915`	`have <literal>CREATE</literal> privilege on the specified tablespace`
`26916`		`- orbe a member of the <literal>pg_read_all_stats</literal> role,`
	`26916`	`+ orhave privileges of the <literal>pg_read_all_stats</literal> role,`
`26917`	`26917`	`unless it is the default tablespace for the current database.`
`26918`	`26918`	`</para></entry>`
`26919`	`26919`	`</row>`
`@@ -27392,7 +27392,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size`
`27392`	`27392`	`a dot, directories, and other special files are excluded.`
`27393`	`27393`	`</para>`
`27394`	`27394`	`<para>`
`27395`		`- This function is restricted to superusers andmembers of`
	`27395`	`+ This function is restricted to superusers androles with privileges of`
`27396`	`27396`	`the <literal>pg_monitor</literal> role by default, but other users can`
`27397`	`27397`	`be granted EXECUTE to run the function.`
`27398`	`27398`	`</para></entry>`
`@@ -27416,7 +27416,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size`
`27416`	`27416`	`are excluded.`
`27417`	`27417`	`</para>`
`27418`	`27418`	`<para>`
`27419`		`- This function is restricted to superusers andmembers of`
	`27419`	`+ This function is restricted to superusers androles with privileges of`
`27420`	`27420`	`the <literal>pg_monitor</literal> role by default, but other users can`
`27421`	`27421`	`be granted EXECUTE to run the function.`
`27422`	`27422`	`</para></entry>`

`‎doc/src/sgml/monitoring.sgml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -280,7 +280,7 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser`
`280`	`280`	`(sessions belonging to a role that they are a member of). In rows about`
`281`	`281`	`other sessions, many columns will be null. Note, however, that the`
`282`	`282`	`existence of a session and its general properties such as its sessions user`
`283`		`- and database are visible to all users. Superusers andmembers of the`
	`283`	`+ and database are visible to all users. Superusers androles with privileges of`
`284`	`284`	`built-in role <literal>pg_read_all_stats</literal> (see also <xref`
`285`	`285`	`linkend="predefined-roles"/>) can see all the information about all sessions.`
`286`	`286`	`</para>`

`‎doc/src/sgml/pgbuffercache.sgml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@`
`24`	`24`	`</para>`
`25`	`25`
`26`	`26`	`<para>`
`27`		`- By default, use is restricted to superusers andmembers of the`
	`27`	`+ By default, use is restricted to superusers androles with privileges of the`
`28`	`28`	`<literal>pg_monitor</literal> role. Access may be granted to others`
`29`	`29`	`using <command>GRANT</command>.`
`30`	`30`	`</para>`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6198420

File tree

23 files changed

23 files changed

`‎contrib/adminpack/adminpack.c‎`

`‎contrib/file_fdw/expected/file_fdw.out‎`

`‎contrib/file_fdw/file_fdw.c‎`

`‎contrib/pg_stat_statements/pg_stat_statements.c‎`

`‎contrib/pgrowlocks/pgrowlocks.c‎`

`‎doc/src/sgml/adminpack.sgml‎`

`‎doc/src/sgml/catalogs.sgml‎`

`‎doc/src/sgml/func.sgml‎`

`‎doc/src/sgml/monitoring.sgml‎`

`‎doc/src/sgml/pgbuffercache.sgml‎`

0 commit comments