Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit7215f74

Browse files
committed
Make default ACL be consistent --- ie, starting point for ChangeAcl
is the same as the access permissions granted when a relation's relaclfield is NULL, ie, owner=all rights, world=no rights.
1 parent46cf925 commit7215f74

File tree

3 files changed

+68
-117
lines changed

3 files changed

+68
-117
lines changed

‎src/backend/catalog/aclchk.c‎

Lines changed: 43 additions & 88 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $Header: /cvsroot/pgsql/src/backend/catalog/aclchk.c,v 1.40 2000/09/06 14:15:15 petere Exp $
11+
* $Header: /cvsroot/pgsql/src/backend/catalog/aclchk.c,v 1.41 2000/10/02 04:49:28 tgl Exp $
1212
*
1313
* NOTES
1414
* See acl.h.
@@ -36,35 +36,16 @@
3636
staticint32aclcheck(char*relname,Acl*acl,AclIdid,
3737
AclIdTypeidtype,AclModemode);
3838

39-
/*
40-
* Enable use of user relations in place of real system catalogs.
41-
*/
42-
/*#define ACLDEBUG*/
43-
44-
#ifdefACLDEBUG
45-
/*
46-
* Fool the code below into thinking that "pgacls" is pg_class.
47-
* relname and relowner are in the same place, happily.
48-
*/
49-
#undefAnum_pg_class_relacl
50-
#defineAnum_pg_class_relacl3
51-
#undefNatts_pg_class
52-
#defineNatts_pg_class3
53-
#undefName_pg_class
54-
#defineName_pg_class"pgacls"
55-
#undefName_pg_group
56-
#defineName_pg_group"pggroup"
57-
#endif
58-
5939
/* warning messages, now more explicit. */
60-
/*should correspond to the order of the ACLCHK_* result codesabove. */
40+
/*MUST correspond to the order of the ACLCHK_* result codesin acl.h. */
6141
char*aclcheck_error_strings[]= {
6242
"No error.",
6343
"Permission denied.",
6444
"Table does not exist.",
6545
"Must be table owner."
6646
};
6747

48+
6849
#ifdefACLDEBUG_TRACE
6950
static
7051
dumpacl(Acl*acl)
@@ -84,7 +65,7 @@ dumpacl(Acl *acl)
8465
#endif
8566

8667
/*
87-
*
68+
* ChangeAcl
8869
*/
8970
void
9071
ChangeAcl(char*relname,
@@ -96,12 +77,12 @@ ChangeAcl(char *relname,
9677
*new_acl;
9778
Relationrelation;
9879
HeapTupletuple;
80+
DatumaclDatum;
9981
Datumvalues[Natts_pg_class];
10082
charnulls[Natts_pg_class];
10183
charreplaces[Natts_pg_class];
10284
Relationidescs[Num_pg_class_indices];
10385
boolisNull;
104-
boolfree_old_acl= false;
10586

10687
/*
10788
* Find the pg_class tuple matching 'relname' and extract the ACL. If
@@ -118,29 +99,20 @@ ChangeAcl(char *relname,
11899
relname);
119100
}
120101

121-
old_acl= (Acl*)heap_getattr(tuple,
122-
Anum_pg_class_relacl,
123-
RelationGetDescr(relation),
124-
&isNull);
102+
aclDatum=SysCacheGetAttr(RELNAME,tuple,Anum_pg_class_relacl,
103+
&isNull);
125104
if (isNull)
126105
{
127-
#ifdefACLDEBUG_TRACE
128-
elog(DEBUG,"ChangeAcl: using default ACL");
129-
#endif
130-
old_acl=acldefault(relname);
131-
free_old_acl= true;
132-
}
133-
134-
/* Need to detoast the old ACL for modification */
135-
old_acl=DatumGetAclP(PointerGetDatum(old_acl));
106+
/* No ACL, so build default ACL for rel */
107+
AclIdownerId;
136108

137-
if (ACL_NUM(old_acl)<1)
109+
ownerId= ((Form_pg_class)GETSTRUCT(tuple))->relowner;
110+
old_acl=acldefault(relname,ownerId);
111+
}
112+
else
138113
{
139-
#ifdefACLDEBUG_TRACE
140-
elog(DEBUG,"ChangeAcl: old ACL has zero length");
141-
#endif
142-
old_acl=acldefault(relname);
143-
free_old_acl= true;
114+
/* get a detoasted copy of the rel's ACL */
115+
old_acl=DatumGetAclPCopy(aclDatum);
144116
}
145117

146118
#ifdefACLDEBUG_TRACE
@@ -173,8 +145,8 @@ ChangeAcl(char *relname,
173145
CatalogCloseIndices(Num_pg_class_indices,idescs);
174146

175147
heap_close(relation,RowExclusiveLock);
176-
if (free_old_acl)
177-
pfree(old_acl);
148+
149+
pfree(old_acl);
178150
pfree(new_acl);
179151
}
180152

@@ -264,9 +236,15 @@ aclcheck(char *relname, Acl *acl, AclId id, AclIdType idtype, AclMode mode)
264236
unsignednum,
265237
found_group;
266238

267-
/* if no acl is found, use world default */
239+
/*
240+
* If ACL is null, default to "OK" --- this should not happen,
241+
* since caller should have inserted appropriate default
242+
*/
268243
if (!acl)
269-
acl=acldefault(relname);
244+
{
245+
elog(DEBUG,"aclcheck: null ACL, returning 1");
246+
returnACLCHECK_OK;
247+
}
270248

271249
num=ACL_NUM(acl);
272250
aidat=ACL_DAT(acl);
@@ -278,9 +256,7 @@ aclcheck(char *relname, Acl *acl, AclId id, AclIdType idtype, AclMode mode)
278256
*/
279257
if (num<1)
280258
{
281-
#if defined(ACLDEBUG_TRACE)||1
282259
elog(DEBUG,"aclcheck: zero-length ACL, returning 1");
283-
#endif
284260
returnACLCHECK_OK;
285261
}
286262

@@ -357,11 +333,12 @@ aclcheck(char *relname, Acl *acl, AclId id, AclIdType idtype, AclMode mode)
357333
int32
358334
pg_aclcheck(char*relname,Oiduserid,AclModemode)
359335
{
360-
HeapTupletuple;
361-
Acl*acl= (Acl*)NULL;
362336
int32result;
337+
HeapTupletuple;
363338
char*usename;
364-
Relationrelation;
339+
DatumaclDatum;
340+
boolisNull;
341+
Acl*acl;
365342

366343
tuple=SearchSysCacheTuple(SHADOWSYSID,
367344
ObjectIdGetDatum(userid),
@@ -399,53 +376,31 @@ pg_aclcheck(char *relname, Oid userid, AclMode mode)
399376
returnACLCHECK_OK;
400377
}
401378

402-
#ifndefACLDEBUG
403-
relation=heap_openr(RelationRelationName,RowExclusiveLock);
379+
/*
380+
* Normal case: get the relation's ACL from pg_class
381+
*/
404382
tuple=SearchSysCacheTuple(RELNAME,
405383
PointerGetDatum(relname),
406384
0,0,0);
407385
if (!HeapTupleIsValid(tuple))
408-
{
409-
elog(ERROR,"pg_aclcheck: class \"%s\" not found",
410-
relname);
411-
}
412-
if (!heap_attisnull(tuple,Anum_pg_class_relacl))
413-
{
414-
/* get a detoasted copy of the ACL */
415-
acl=DatumGetAclPCopy(heap_getattr(tuple,
416-
Anum_pg_class_relacl,
417-
RelationGetDescr(relation),
418-
(bool*)NULL));
419-
}
420-
else
421-
{
386+
elog(ERROR,"pg_aclcheck: class \"%s\" not found",relname);
422387

423-
/*
424-
* if the acl is null, by default the owner can do whatever he
425-
* wants to with it
426-
*/
388+
aclDatum=SysCacheGetAttr(RELNAME,tuple,Anum_pg_class_relacl,
389+
&isNull);
390+
if (isNull)
391+
{
392+
/* No ACL, so build default ACL for rel */
427393
AclIdownerId;
428394

429395
ownerId= ((Form_pg_class)GETSTRUCT(tuple))->relowner;
430-
acl=aclownerdefault(relname,ownerId);
396+
acl=acldefault(relname,ownerId);
431397
}
432-
heap_close(relation,RowExclusiveLock);
433-
#else
434-
relation=heap_openr(RelationRelationName,RowExclusiveLock);
435-
tuple=SearchSysCacheTuple(RELNAME,
436-
PointerGetDatum(relname),
437-
0,0,0);
438-
if (HeapTupleIsValid(tuple)&&
439-
!heap_attisnull(tuple,Anum_pg_class_relacl))
398+
else
440399
{
441-
/* get a detoasted copy of the ACL */
442-
acl=DatumGetAclPCopy(heap_getattr(tuple,
443-
Anum_pg_class_relacl,
444-
RelationGetDescr(relation),
445-
(bool*)NULL));
400+
/* get a detoasted copy of the rel's ACL */
401+
acl=DatumGetAclPCopy(aclDatum);
446402
}
447-
heap_close(relation,RowExclusiveLock);
448-
#endif
403+
449404
result=aclcheck(relname,acl,userid, (AclIdType)ACL_IDTYPE_UID,mode);
450405
if (acl)
451406
pfree(acl);

‎src/backend/utils/adt/acl.c‎

Lines changed: 13 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.48 2000/07/31 22:39:09 tgl Exp $
11+
* $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.49 2000/10/02 04:49:27 tgl Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -334,12 +334,23 @@ aclitemgt(AclItem *a1, AclItem *a2)
334334
(a1->ai_idtype==a2->ai_idtype&&a1->ai_id>a2->ai_id));
335335
}
336336

337+
338+
/*
339+
* acldefault() --- create an ACL describing default access permissions
340+
*
341+
* Change this routine if you want to alter the default access policy for
342+
* newly-created tables (or any table with a NULL acl entry in pg_class)
343+
*/
337344
Acl*
338-
aclownerdefault(char*relname,AclIdownerid)
345+
acldefault(char*relname,AclIdownerid)
339346
{
340347
Acl*acl;
341348
AclItem*aip;
342349

350+
#defineACL_WORLD_DEFAULT(ACL_NO)
351+
/* #defineACL_WORLD_DEFAULT(ACL_RD|ACL_WR|ACL_AP|ACL_RU) */
352+
#defineACL_OWNER_DEFAULT(ACL_RD|ACL_WR|ACL_AP|ACL_RU)
353+
343354
acl=makeacl(2);
344355
aip=ACL_DAT(acl);
345356
aip[0].ai_idtype=ACL_IDTYPE_WORLD;
@@ -351,19 +362,6 @@ aclownerdefault(char *relname, AclId ownerid)
351362
returnacl;
352363
}
353364

354-
Acl*
355-
acldefault(char*relname)
356-
{
357-
Acl*acl;
358-
AclItem*aip;
359-
360-
acl=makeacl(1);
361-
aip=ACL_DAT(acl);
362-
aip[0].ai_idtype=ACL_IDTYPE_WORLD;
363-
aip[0].ai_id=ACL_ID_WORLD;
364-
aip[0].ai_mode=IsSystemRelationName(relname) ?ACL_RD :ACL_WORLD_DEFAULT;
365-
returnacl;
366-
}
367365

368366
/*
369367
* Add or replace an item in an ACL array.

‎src/include/utils/acl.h‎

Lines changed: 12 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,12 @@
77
* Portions Copyright (c) 1996-2000, PostgreSQL, Inc
88
* Portions Copyright (c) 1994, Regents of the University of California
99
*
10-
* $Id: acl.h,v 1.27 2000/09/06 14:15:31 petere Exp $
10+
* $Id: acl.h,v 1.28 2000/10/02 04:49:27 tgl Exp $
1111
*
1212
* NOTES
1313
* For backward-compatibility purposes we have to allow there
1414
* to be a null ACL in a pg_class tuple. This will be defined as
15-
* meaning "no protection" (i.e.,old catalogs get old semantics).
15+
* meaning "default protection" (i.e.,whatever acldefault() returns).
1616
*
1717
* The AclItems in an ACL array are currently kept in sorted order.
1818
* Things will break hard if you change that without changing the
@@ -32,7 +32,7 @@
3232
*/
3333
typedefuint32AclId;
3434

35-
#defineACL_ID_WORLD0/*XXX only idtype should be checked */
35+
#defineACL_ID_WORLD0/*placeholder for id in a WORLD acl item */
3636

3737
/*
3838
* AclIdTypetag that describes if the AclId is a user, group, etc.
@@ -58,15 +58,6 @@ typedef uint8 AclMode;
5858
#defineACL_RU(1<<3)/* place rules */
5959
#defineN_ACL_MODES4
6060

61-
#defineACL_MODECHG_ADD1
62-
#defineACL_MODECHG_DEL2
63-
#defineACL_MODECHG_EQL3
64-
65-
/* change this line if you want to set the default acl permission */
66-
#defineACL_WORLD_DEFAULT(ACL_NO)
67-
/* #defineACL_WORLD_DEFAULT(ACL_RD|ACL_WR|ACL_AP|ACL_RU) */
68-
#defineACL_OWNER_DEFAULT(ACL_RD|ACL_WR|ACL_AP|ACL_RU)
69-
7061
/*
7162
* AclItem
7263
*/
@@ -143,6 +134,13 @@ typedef ArrayType IdList;
143134
#definePG_RETURN_IDLIST_P(x) PG_RETURN_POINTER(x)
144135

145136

137+
/*
138+
* ACL modification opcodes
139+
*/
140+
#defineACL_MODECHG_ADD1
141+
#defineACL_MODECHG_DEL2
142+
#defineACL_MODECHG_EQL3
143+
146144
/* mode indicators for I/O */
147145
#defineACL_MODECHG_STR"+-="/* list of valid characters */
148146
#defineACL_MODECHG_ADD_CHR'+'
@@ -171,8 +169,8 @@ extern char *aclcheck_error_strings[];
171169
/*
172170
* routines used internally (parser, etc.)
173171
*/
174-
externAcl*aclownerdefault(char*relname,AclIdownerid);
175-
externAcl*acldefault(char*relname);
172+
externAcl*acldefault(char*relname,AclIdownerid);
173+
176174
externAcl*aclinsert3(Acl*old_acl,AclItem*mod_aip,unsignedmodechg);
177175

178176
externchar*aclmakepriv(char*old_privlist,charnew_priv);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp