Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitdf4405b

Browse files
committed
Allow users with BYPASSRLS to alter their own passwords.
The intention in commit491c029 was to require superuserness tochange the BYPASSRLS property, but the actual effect of the codingin AlterRole() was to require superuserness to change anything at allabout a BYPASSRLS role. Other properties of a BYPASSRLS role shouldbe changeable under the same rules as for a normal role, though.Fix that, and also take care of some documentation omissions relatedto BYPASSRLS and REPLICATION role properties.Tom Lane and Stephen Frost, per bug report from Wolfgang Walther.Back-patch to all supported branches.Discussion:https://postgr.es/m/a5548a9f-89ee-3167-129d-162b5985fcf8@technowledgy.de
1 parent7827497 commitdf4405b

File tree

3 files changed

+19
-8
lines changed

3 files changed

+19
-8
lines changed

‎doc/src/sgml/ref/alter_role.sgml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,8 +69,10 @@ ALTER ROLE { <replaceable class="PARAMETER">role_specification</replaceable> | A
6969
<xref linkend="SQL-REVOKE"> for that.)
7070
Attributes not mentioned in the command retain their previous settings.
7171
Database superusers can change any of these settings for any role.
72-
Roles having <literal>CREATEROLE</> privilege can change any of these
73-
settings, but only for non-superuser and non-replication roles.
72+
Roles having <literal>CREATEROLE</literal> privilege can change any of these
73+
settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
74+
and <literal>BYPASSRLS</literal>; but only for non-superuser and
75+
non-replication roles.
7476
Ordinary roles can only change their own password.
7577
</para>
7678

‎doc/src/sgml/ref/create_role.sgml

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -176,6 +176,8 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
176176
highly privileged role, and should only be used on roles actually
177177
used for replication. If not specified,
178178
<literal>NOREPLICATION</literal> is the default.
179+
You must be a superuser to create a new role having the
180+
<literal>REPLICATION</literal> attribute.
179181
</para>
180182
</listitem>
181183
</varlistentry>
@@ -187,11 +189,16 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
187189
<para>
188190
These clauses determine whether a role bypasses every row-level
189191
security (RLS) policy. <literal>NOBYPASSRLS</literal> is the default.
192+
You must be a superuser to create a new role having
193+
the <literal>BYPASSRLS</literal> attribute.
194+
</para>
195+
196+
<para>
190197
Note that pg_dump will set <literal>row_security</literal> to
191198
<literal>OFF</literal> by default, to ensure all contents of a table are
192199
dumped out. If the user running pg_dump does not have appropriate
193-
permissions, an error will be returned.The superuser and owner of the
194-
table being dumped always bypass RLS.
200+
permissions, an error will be returned.However, superusers and the
201+
owner of thetable being dumped always bypass RLS.
195202
</para>
196203
</listitem>
197204
</varlistentry>

‎src/backend/commands/user.c

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -694,8 +694,10 @@ AlterRole(AlterRoleStmt *stmt)
694694
roleid=HeapTupleGetOid(tuple);
695695

696696
/*
697-
* To mess with a superuser you gotta be superuser; else you need
698-
* createrole, or just want to change your own password
697+
* To mess with a superuser or replication role in any way you gotta be
698+
* superuser. We also insist on superuser to change the BYPASSRLS
699+
* property. Otherwise, if you don't have createrole, you're only allowed
700+
* to change your own password.
699701
*/
700702
if (authform->rolsuper||issuper >=0)
701703
{
@@ -711,7 +713,7 @@ AlterRole(AlterRoleStmt *stmt)
711713
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
712714
errmsg("must be superuser to alter replication users")));
713715
}
714-
elseif (authform->rolbypassrls||bypassrls >=0)
716+
elseif (bypassrls >=0)
715717
{
716718
if (!superuser())
717719
ereport(ERROR,
@@ -720,11 +722,11 @@ AlterRole(AlterRoleStmt *stmt)
720722
}
721723
elseif (!have_createrole_privilege())
722724
{
725+
/* We already checked issuper, isreplication, and bypassrls */
723726
if (!(inherit<0&&
724727
createrole<0&&
725728
createdb<0&&
726729
canlogin<0&&
727-
isreplication<0&&
728730
!dconnlimit&&
729731
!rolemembers&&
730732
!validUntil&&

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp