Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitaa11106

Browse files
committed
Adjust permissions checking for ALTER OWNER commands: instead of
requiring superuserness always, allow an owner to reassign ownershipto any role he is a member of, if that role would have the right tocreate a similar object. These three requirements essentially statethat the would-be alterer has enough privilege to DROP the existingobject and then re-CREATE it as the new role; so we might as welllet him do it in one step. The ALTER TABLESPACE case is a bitsquirrely, but the whole concept of non-superuser tablespace ownersis pretty dubious anyway. Stephen Frost, code review by Tom Lane.
1 parentbd15782 commitaa11106

File tree

12 files changed

+229
-109
lines changed

12 files changed

+229
-109
lines changed

‎src/backend/commands/aggregatecmds.c

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
*
1010
*
1111
* IDENTIFICATION
12-
* $PostgreSQL: pgsql/src/backend/commands/aggregatecmds.c,v 1.27 2005/06/28 05:08:53 tgl Exp $
12+
* $PostgreSQL: pgsql/src/backend/commands/aggregatecmds.c,v 1.28 2005/07/14 21:46:29 tgl Exp $
1313
*
1414
* DESCRIPTION
1515
* The "DefineFoo" routines take the parse tree and pick out the
@@ -302,6 +302,7 @@ AlterAggregateOwner(List *name, TypeName *basetype, Oid newOwnerId)
302302
HeapTupletup;
303303
Form_pg_procprocForm;
304304
Relationrel;
305+
AclResultaclresult;
305306

306307
/*
307308
* if a basetype is passed in, then attempt to find an aggregate for
@@ -331,11 +332,20 @@ AlterAggregateOwner(List *name, TypeName *basetype, Oid newOwnerId)
331332
*/
332333
if (procForm->proowner!=newOwnerId)
333334
{
334-
/* Otherwise, must be superuser to change object ownership */
335-
if (!superuser())
336-
ereport(ERROR,
337-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
338-
errmsg("must be superuser to change owner")));
335+
/* Otherwise, must be owner of the existing object */
336+
if (!pg_proc_ownercheck(procOid,GetUserId()))
337+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,
338+
NameListToString(name));
339+
340+
/* Must be able to become new owner */
341+
check_is_member_of_role(GetUserId(),newOwnerId);
342+
343+
/* New owner must have CREATE privilege on namespace */
344+
aclresult=pg_namespace_aclcheck(procForm->pronamespace,newOwnerId,
345+
ACL_CREATE);
346+
if (aclresult!=ACLCHECK_OK)
347+
aclcheck_error(aclresult,ACL_KIND_NAMESPACE,
348+
get_namespace_name(procForm->pronamespace));
339349

340350
/*
341351
* Modify the owner --- okay to scribble on tup because it's a

‎src/backend/commands/conversioncmds.c

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/commands/conversioncmds.c,v 1.20 2005/07/07 20:39:58 tgl Exp $
11+
* $PostgreSQL: pgsql/src/backend/commands/conversioncmds.c,v 1.21 2005/07/14 21:46:29 tgl Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -152,8 +152,7 @@ RenameConversion(List *name, const char *newname)
152152
newname,get_namespace_name(namespaceOid))));
153153

154154
/* must be owner */
155-
if (!superuser()&&
156-
((Form_pg_conversion)GETSTRUCT(tup))->conowner!=GetUserId())
155+
if (!pg_conversion_ownercheck(conversionOid,GetUserId()))
157156
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_CONVERSION,
158157
NameListToString(name));
159158

@@ -182,6 +181,7 @@ AlterConversionOwner(List *name, Oid newOwnerId)
182181
HeapTupletup;
183182
Relationrel;
184183
Form_pg_conversionconvForm;
184+
AclResultaclresult;
185185

186186
rel=heap_open(ConversionRelationId,RowExclusiveLock);
187187

@@ -206,11 +206,20 @@ AlterConversionOwner(List *name, Oid newOwnerId)
206206
*/
207207
if (convForm->conowner!=newOwnerId)
208208
{
209-
/* Otherwise, must be superuser to change object ownership */
210-
if (!superuser())
211-
ereport(ERROR,
212-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
213-
errmsg("must be superuser to change owner")));
209+
/* Otherwise, must be owner of the existing object */
210+
if (!pg_conversion_ownercheck(HeapTupleGetOid(tup),GetUserId()))
211+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_CONVERSION,
212+
NameListToString(name));
213+
214+
/* Must be able to become new owner */
215+
check_is_member_of_role(GetUserId(),newOwnerId);
216+
217+
/* New owner must have CREATE privilege on namespace */
218+
aclresult=pg_namespace_aclcheck(convForm->connamespace,newOwnerId,
219+
ACL_CREATE);
220+
if (aclresult!=ACLCHECK_OK)
221+
aclcheck_error(aclresult,ACL_KIND_NAMESPACE,
222+
get_namespace_name(convForm->connamespace));
214223

215224
/*
216225
* Modify the owner --- okay to scribble on tup because it's a

‎src/backend/commands/dbcommands.c

Lines changed: 32 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
*
1616
*
1717
* IDENTIFICATION
18-
* $PostgreSQL: pgsql/src/backend/commands/dbcommands.c,v 1.166 2005/07/08 04:12:24 neilc Exp $
18+
* $PostgreSQL: pgsql/src/backend/commands/dbcommands.c,v 1.167 2005/07/14 21:46:29 tgl Exp $
1919
*
2020
*-------------------------------------------------------------------------
2121
*/
@@ -193,23 +193,19 @@ createdb(const CreatedbStmt *stmt)
193193
else
194194
datdba=GetUserId();
195195

196-
if (is_member_of_role(GetUserId(),datdba))
197-
{
198-
/* creating database for self: createdb is required */
199-
if (!have_createdb_privilege())
200-
ereport(ERROR,
201-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
202-
errmsg("permission denied to create database")));
203-
}
204-
else
205-
{
206-
/* creating database for someone else: must be superuser */
207-
/* note that the someone else need not have any permissions */
208-
if (!superuser())
209-
ereport(ERROR,
210-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
211-
errmsg("must be superuser to create database for another user")));
212-
}
196+
/*
197+
* To create a database, must have createdb privilege and must be able
198+
* to become the target role (this does not imply that the target role
199+
* itself must have createdb privilege). The latter provision guards
200+
* against "giveaway" attacks. Note that a superuser will always have
201+
* both of these privileges a fortiori.
202+
*/
203+
if (!have_createdb_privilege())
204+
ereport(ERROR,
205+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
206+
errmsg("permission denied to create database")));
207+
208+
check_is_member_of_role(GetUserId(),datdba);
213209

214210
/*
215211
* Check for db name conflict.There is a race condition here, since
@@ -930,11 +926,26 @@ AlterDatabaseOwner(const char *dbname, Oid newOwnerId)
930926
boolisNull;
931927
HeapTuplenewtuple;
932928

933-
/* must be superuser to change ownership */
934-
if (!superuser())
929+
/* Otherwise, must be owner of the existing object */
930+
if (!pg_database_ownercheck(HeapTupleGetOid(tuple),GetUserId()))
931+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_DATABASE,
932+
dbname);
933+
934+
/* Must be able to become new owner */
935+
check_is_member_of_role(GetUserId(),newOwnerId);
936+
937+
/*
938+
* must have createdb rights
939+
*
940+
* NOTE: This is different from other alter-owner checks in
941+
* that the current user is checked for createdb privileges
942+
* instead of the destination owner. This is consistent
943+
* with the CREATE case for databases.
944+
*/
945+
if (!have_createdb_privilege())
935946
ereport(ERROR,
936947
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
937-
errmsg("must be superuserto change owner")));
948+
errmsg("permission deniedto change owner of database")));
938949

939950
memset(repl_null,' ',sizeof(repl_null));
940951
memset(repl_repl,' ',sizeof(repl_repl));

‎src/backend/commands/functioncmds.c

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
*
1111
*
1212
* IDENTIFICATION
13-
* $PostgreSQL: pgsql/src/backend/commands/functioncmds.c,v 1.63 2005/07/07 20:39:58 tgl Exp $
13+
* $PostgreSQL: pgsql/src/backend/commands/functioncmds.c,v 1.64 2005/07/14 21:46:29 tgl Exp $
1414
*
1515
* DESCRIPTION
1616
* These routines take the parse tree and pick out the
@@ -859,6 +859,7 @@ AlterFunctionOwner(List *name, List *argtypes, Oid newOwnerId)
859859
HeapTupletup;
860860
Form_pg_procprocForm;
861861
Relationrel;
862+
AclResultaclresult;
862863

863864
rel=heap_open(ProcedureRelationId,RowExclusiveLock);
864865

@@ -892,11 +893,20 @@ AlterFunctionOwner(List *name, List *argtypes, Oid newOwnerId)
892893
boolisNull;
893894
HeapTuplenewtuple;
894895

895-
/* Otherwise, must be superuser to change object ownership */
896-
if (!superuser())
897-
ereport(ERROR,
898-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
899-
errmsg("must be superuser to change owner")));
896+
/* Otherwise, must be owner of the existing object */
897+
if (!pg_proc_ownercheck(procOid,GetUserId()))
898+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,
899+
NameListToString(name));
900+
901+
/* Must be able to become new owner */
902+
check_is_member_of_role(GetUserId(),newOwnerId);
903+
904+
/* New owner must have CREATE privilege on namespace */
905+
aclresult=pg_namespace_aclcheck(procForm->pronamespace,newOwnerId,
906+
ACL_CREATE);
907+
if (aclresult!=ACLCHECK_OK)
908+
aclcheck_error(aclresult,ACL_KIND_NAMESPACE,
909+
get_namespace_name(procForm->pronamespace));
900910

901911
memset(repl_null,' ',sizeof(repl_null));
902912
memset(repl_repl,' ',sizeof(repl_repl));

‎src/backend/commands/opclasscmds.c

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
*
1010
*
1111
* IDENTIFICATION
12-
* $PostgreSQL: pgsql/src/backend/commands/opclasscmds.c,v 1.34 2005/07/07 20:39:58 tgl Exp $
12+
* $PostgreSQL: pgsql/src/backend/commands/opclasscmds.c,v 1.35 2005/07/14 21:46:29 tgl Exp $
1313
*
1414
*-------------------------------------------------------------------------
1515
*/
@@ -892,6 +892,7 @@ AlterOpClassOwner(List *name, const char *access_method, Oid newOwnerId)
892892
char*opcname;
893893
HeapTupletup;
894894
Relationrel;
895+
AclResultaclresult;
895896
Form_pg_opclassopcForm;
896897

897898
amOid=GetSysCacheOid(AMNAME,
@@ -950,11 +951,20 @@ AlterOpClassOwner(List *name, const char *access_method, Oid newOwnerId)
950951
*/
951952
if (opcForm->opcowner!=newOwnerId)
952953
{
953-
/* Otherwise, must be superuser to change object ownership */
954-
if (!superuser())
955-
ereport(ERROR,
956-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
957-
errmsg("must be superuser to change owner")));
954+
/* Otherwise, must be owner of the existing object */
955+
if (!pg_opclass_ownercheck(HeapTupleGetOid(tup),GetUserId()))
956+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_OPCLASS,
957+
NameListToString(name));
958+
959+
/* Must be able to become new owner */
960+
check_is_member_of_role(GetUserId(),newOwnerId);
961+
962+
/* New owner must have CREATE privilege on namespace */
963+
aclresult=pg_namespace_aclcheck(namespaceOid,newOwnerId,
964+
ACL_CREATE);
965+
if (aclresult!=ACLCHECK_OK)
966+
aclcheck_error(aclresult,ACL_KIND_NAMESPACE,
967+
get_namespace_name(namespaceOid));
958968

959969
/*
960970
* Modify the owner --- okay to scribble on tup because it's a

‎src/backend/commands/operatorcmds.c

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
*
1010
*
1111
* IDENTIFICATION
12-
* $PostgreSQL: pgsql/src/backend/commands/operatorcmds.c,v 1.23 2005/07/07 20:39:58 tgl Exp $
12+
* $PostgreSQL: pgsql/src/backend/commands/operatorcmds.c,v 1.24 2005/07/14 21:46:29 tgl Exp $
1313
*
1414
* DESCRIPTION
1515
* The "DefineFoo" routines take the parse tree and pick out the
@@ -274,6 +274,7 @@ AlterOperatorOwner(List *name, TypeName *typeName1, TypeName *typeName2,
274274
OidoperOid;
275275
HeapTupletup;
276276
Relationrel;
277+
AclResultaclresult;
277278
Form_pg_operatoroprForm;
278279

279280
rel=heap_open(OperatorRelationId,RowExclusiveLock);
@@ -295,11 +296,20 @@ AlterOperatorOwner(List *name, TypeName *typeName1, TypeName *typeName2,
295296
*/
296297
if (oprForm->oprowner!=newOwnerId)
297298
{
298-
/* Otherwise, must be superuser to change object ownership */
299-
if (!superuser())
300-
ereport(ERROR,
301-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
302-
errmsg("must be superuser to change owner")));
299+
/* Otherwise, must be owner of the existing object */
300+
if (!pg_oper_ownercheck(operOid,GetUserId()))
301+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_OPER,
302+
NameListToString(name));
303+
304+
/* Must be able to become new owner */
305+
check_is_member_of_role(GetUserId(),newOwnerId);
306+
307+
/* New owner must have CREATE privilege on namespace */
308+
aclresult=pg_namespace_aclcheck(oprForm->oprnamespace,newOwnerId,
309+
ACL_CREATE);
310+
if (aclresult!=ACLCHECK_OK)
311+
aclcheck_error(aclresult,ACL_KIND_NAMESPACE,
312+
get_namespace_name(oprForm->oprnamespace));
303313

304314
/*
305315
* Modify the owner --- okay to scribble on tup because it's a

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp