Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit7b30490

Browse files
committed
First step done,
 below is the patch to have views to override the permission checks for the accessed tables. Now we can do the following: CREATE VIEW db_user AS SELECT usename, usesysid, usecreatedb, usetrace, usecatupd, '**********'::text as passwd, valuntil FROM pg_user; REVOKE ALL ON pg_user FROM public; REVOKE ALL ON db_user FROM public; GRANT SELECT ON db_user TO public;
1 parent7343288 commit7b30490

File tree

7 files changed

+126
-17
lines changed

7 files changed

+126
-17
lines changed

‎src/backend/executor/execMain.c

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@
2626
*
2727
*
2828
* IDENTIFICATION
29-
* $Header: /cvsroot/pgsql/src/backend/executor/execMain.c,v 1.42 1998/02/13 03:26:38 vadim Exp $
29+
* $Header: /cvsroot/pgsql/src/backend/executor/execMain.c,v 1.43 1998/02/21 06:31:37 scrappy Exp $
3030
*
3131
*-------------------------------------------------------------------------
3232
*/
@@ -299,6 +299,17 @@ ExecCheckPerms(CmdType operation,
299299
{
300300
RangeTblEntry*rte=lfirst(lp);
301301

302+
if (rte->skipAcl)
303+
{
304+
/*
305+
* This happens if the access to this table is due
306+
* to a view query rewriting - the rewrite handler
307+
* checked the permissions against the view owner,
308+
* so we just skip this entry.
309+
*/
310+
continue;
311+
}
312+
302313
relid=rte->relid;
303314
htp=SearchSysCacheTuple(RELOID,
304315
ObjectIdGetDatum(relid),

‎src/backend/nodes/copyfuncs.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
*
88
*
99
* IDENTIFICATION
10-
* $Header: /cvsroot/pgsql/src/backend/nodes/copyfuncs.c,v 1.38 1998/02/13 03:27:42 vadim Exp $
10+
* $Header: /cvsroot/pgsql/src/backend/nodes/copyfuncs.c,v 1.39 1998/02/21 06:31:40 scrappy Exp $
1111
*
1212
*-------------------------------------------------------------------------
1313
*/
@@ -1495,6 +1495,7 @@ _copyRangeTblEntry(RangeTblEntry *from)
14951495
newnode->relid=from->relid;
14961496
newnode->inh=from->inh;
14971497
newnode->inFromCl=from->inFromCl;
1498+
newnode->skipAcl=from->skipAcl;
14981499

14991500

15001501
returnnewnode;

‎src/backend/parser/gram.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -210,7 +210,7 @@
210210
*
211211
*
212212
* IDENTIFICATION
213-
* $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.1 1998/02/18 07:28:06 thomas Exp $
213+
* $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.2 1998/02/21 06:31:46 scrappy Exp $
214214
*
215215
* HISTORY
216216
* AUTHORDATEMAJOR EVENT
@@ -3753,7 +3753,7 @@ static const short yycheck[] = { 3,
37533753
-1,-1,-1,172
37543754
};
37553755
/* -*-C-*- Note some compilers choke on comments on `#line' lines. */
3756-
#line 3 "/usr/lib/bison.simple"
3756+
#line 3 "/usr/share/misc/bison.simple"
37573757

37583758
/* Skeleton output parser for bison,
37593759
Copyright (C) 1984, 1989, 1990 Free Software Foundation, Inc.
@@ -3946,7 +3946,7 @@ __yy_memcpy (char *to, char *from, int count)
39463946
#endif
39473947
#endif
39483948

3949-
#line 196 "/usr/lib/bison.simple"
3949+
#line 196 "/usr/share/misc/bison.simple"
39503950

39513951
/* The user can define YYPARSE_PARAM as the name of an argument to be passed
39523952
into yyparse. The argument should have type void *.
@@ -9401,7 +9401,7 @@ case 842:
94019401
break;}
94029402
}
94039403
/* the action file gets copied in in place of this dollarsign */
9404-
#line 498 "/usr/lib/bison.simple"
9404+
#line 498 "/usr/share/misc/bison.simple"
94059405

94069406
yyvsp-=yylen;
94079407
yyssp-=yylen;

‎src/backend/parser/scan.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
/* A lexical scanner generated by flex */
22

33
/* Scanner skeleton version:
4-
* $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.14 1998/02/18 07:23:22 thomas Exp $
4+
* $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.15 1998/02/21 06:31:52 scrappy Exp $
55
*/
66

77
#defineFLEX_SCANNER
@@ -547,7 +547,7 @@ char *yytext;
547547
*
548548
*
549549
* IDENTIFICATION
550-
* $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.14 1998/02/18 07:23:22 thomas Exp $
550+
* $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.15 1998/02/21 06:31:52 scrappy Exp $
551551
*
552552
*-------------------------------------------------------------------------
553553
*/

‎src/backend/rewrite/rewriteHandler.c

Lines changed: 104 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,11 @@
66
*
77
*
88
* IDENTIFICATION
9-
* $Header: /cvsroot/pgsql/src/backend/rewrite/rewriteHandler.c,v 1.11 1998/01/2104:24:36 momjian Exp $
9+
* $Header: /cvsroot/pgsql/src/backend/rewrite/rewriteHandler.c,v 1.12 1998/02/2106:31:57 scrappy Exp $
1010
*
1111
*-------------------------------------------------------------------------
1212
*/
13+
#include<string.h>
1314
#include"postgres.h"
1415
#include"miscadmin.h"
1516
#include"utils/palloc.h"
@@ -29,13 +30,19 @@
2930
#include"commands/creatinh.h"
3031
#include"access/heapam.h"
3132

33+
#include"utils/syscache.h"
34+
#include"utils/acl.h"
35+
#include"catalog/pg_user.h"
36+
3237
staticvoidApplyRetrieveRule(Query*parsetree,RewriteRule*rule,
33-
intrt_index,intrelation_level,int*modified);
38+
intrt_index,intrelation_level,
39+
Relationrelation,int*modified);
3440
staticList*fireRules(Query*parsetree,intrt_index,CmdTypeevent,
3541
bool*instead_flag,List*locks,List**qual_products);
3642
staticvoidQueryRewriteSubLink(Node*node);
3743
staticList*QueryRewriteOne(Query*parsetree);
3844
staticList*deepRewriteQuery(Query*parsetree);
45+
staticvoidCheckViewPerms(Relationview,List*rtable);
3946

4047
/*
4148
* gatherRewriteMeta -
@@ -219,7 +226,7 @@ FireRetrieveRulesAtQuery(Query *parsetree,
219226
*instead_flag= TRUE;
220227
returnrule_lock->actions;
221228
}
222-
ApplyRetrieveRule(parsetree,rule_lock,rt_index,relation_level,
229+
ApplyRetrieveRule(parsetree,rule_lock,rt_index,relation_level,relation,
223230
&modified);
224231
if (modified)
225232
{
@@ -247,6 +254,7 @@ ApplyRetrieveRule(Query *parsetree,
247254
RewriteRule*rule,
248255
intrt_index,
249256
intrelation_level,
257+
Relationrelation,
250258
int*modified)
251259
{
252260
Query*rule_action=NULL;
@@ -256,16 +264,41 @@ ApplyRetrieveRule(Query *parsetree,
256264
intnothing,
257265
rt_length;
258266
intbadsql= FALSE;
267+
intviewAclOverride= FALSE;
259268

260269
rule_qual=rule->qual;
261270
if (rule->actions)
262271
{
263272
if (length(rule->actions)>1)/* ??? because we don't handle
264-
* rules with more than one
265-
* action? -ay */
273+
* rules with more than one
274+
* action? -ay */
275+
276+
/* WARNING!!!
277+
* If we sometimes handle
278+
* rules with more than one
279+
* action, the view acl checks
280+
* might get broken.
281+
* viewAclOverride should only
282+
* become true (below) if this
283+
* is a relation_level, instead,
284+
* select query - Jan
285+
*/
266286
return;
267287
rule_action=copyObject(lfirst(rule->actions));
268288
nothing= FALSE;
289+
290+
/*
291+
* If this rule is on the relation level, the rule action
292+
* is a select and the rule is instead then it must be
293+
* a view. Permissions for views now follow the owner of
294+
* the view, not the current user.
295+
*/
296+
if (relation_level&&rule_action->commandType==CMD_SELECT
297+
&&rule->isInstead)
298+
{
299+
CheckViewPerms(relation,rule_action->rtable);
300+
viewAclOverride= TRUE;
301+
}
269302
}
270303
else
271304
{
@@ -284,7 +317,30 @@ ApplyRetrieveRule(Query *parsetree,
284317
rte->inFromCl= false;
285318
}
286319
rt_length=length(rtable);
287-
rtable=nconc(rtable,copyObject(rule_action->rtable));
320+
321+
if (viewAclOverride)
322+
{
323+
List*rule_rtable,*rule_rt;
324+
RangeTblEntry*rte;
325+
326+
rule_rtable=copyObject(rule_action->rtable);
327+
foreach(rule_rt,rule_rtable)
328+
{
329+
rte=lfirst(rule_rt);
330+
331+
/*
332+
* tell the executor that the ACL check on this
333+
* range table entry is already done
334+
*/
335+
rte->skipAcl= true;
336+
}
337+
338+
rtable=nconc(rtable,rule_rtable);
339+
}
340+
else
341+
{
342+
rtable=nconc(rtable,copyObject(rule_action->rtable));
343+
}
288344
parsetree->rtable=rtable;
289345

290346
rule_action->rtable=rtable;
@@ -750,3 +806,45 @@ deepRewriteQuery(Query *parsetree)
750806

751807
returnrewritten;
752808
}
809+
810+
811+
staticvoid
812+
CheckViewPerms(Relationview,List*rtable)
813+
{
814+
HeapTupleutup;
815+
NameDatauname;
816+
List*rt;
817+
RangeTblEntry*rte;
818+
int32aclcheck_res;
819+
820+
/*
821+
* get the usename of the view's owner
822+
*/
823+
utup=SearchSysCacheTuple(USESYSID,view->rd_rel->relowner,0,0,0);
824+
if (!HeapTupleIsValid(utup))
825+
{
826+
elog(ERROR,"cache lookup for userid %d failed",
827+
view->rd_rel->relowner);
828+
}
829+
StrNCpy(uname.data,
830+
((Form_pg_user)GETSTRUCT(utup))->usename.data,
831+
NAMEDATALEN);
832+
833+
/*
834+
* check that we have read access to all the
835+
* classes in the range table of the view
836+
*/
837+
foreach(rt,rtable)
838+
{
839+
rte= (RangeTblEntry*)lfirst(rt);
840+
841+
aclcheck_res=pg_aclcheck(rte->relname,uname.data,ACL_RD);
842+
if (aclcheck_res!=ACLCHECK_OK)
843+
{
844+
elog(ERROR,"%s: %s",rte->relname,aclcheck_error_strings[aclcheck_res]);
845+
}
846+
}
847+
}
848+
849+
850+

‎src/include/nodes/parsenodes.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
*
77
* Copyright (c) 1994, Regents of the University of California
88
*
9-
* $Id: parsenodes.h,v 1.47 1998/02/10 16:04:26 momjian Exp $
9+
* $Id: parsenodes.h,v 1.48 1998/02/21 06:32:02 scrappy Exp $
1010
*
1111
*-------------------------------------------------------------------------
1212
*/
@@ -864,6 +864,7 @@ typedef struct RangeTblEntry
864864
Oidrelid;
865865
boolinh;/* inheritance? */
866866
boolinFromCl;/* comes from From Clause */
867+
boolskipAcl;/* skip ACL check in executor */
867868
}RangeTblEntry;
868869

869870
/*

‎src/interfaces/ecpg/Makefile

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,5 @@
11
SUBDIRS = include lib preproc doc
22

33
allinstalluninstallclean:
4-
$(MAKE) -C include$@
54
$(MAKE) -C lib$@
65
$(MAKE) -C preproc$@
7-
#$(MAKE) -C doc $@

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp