Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit1564e92

Browse files
committed
Require the issuer of CREATE TYPE to own the functions mentioned in the
type definition. Because use of a type's I/O conversion functions isn'taccess-checked, CREATE TYPE amounts to granting public execute permissionson the functions, and so allowing it to anybody means that someone couldtheoretically gain access to a function he's not supposed to be able toexecute. The parameter-type restrictions already enforced by CREATE TYPEmake it fairly unlikely that this oversight is meaningful in practice,but still it seems like a good idea to plug the hole going forward.Also, document the implicit grant just in case anybody gets the idea ofbuilding I/O functions that might need security restrictions.
1 parent4b3252c commit1564e92

File tree

2 files changed

+37
-2
lines changed

2 files changed

+37
-2
lines changed

‎doc/src/sgml/ref/create_type.sgml‎

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/ref/create_type.sgml,v 1.59 2005/11/01 21:09:50 tgl Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/ref/create_type.sgml,v 1.60 2006/01/13 18:06:45 tgl Exp $
33
PostgreSQL documentation
44
-->
55

@@ -446,6 +446,17 @@ CREATE TYPE <replaceable class="parameter">name</replaceable> (
446446
internally-created array type names.
447447
</para>
448448

449+
<para>
450+
Because there are no restrictions on use of a data type once it's been
451+
created, creating a base type is tantamount to granting public execute
452+
permission on the functions mentioned in the type definition. (The creator
453+
of the type is therefore required to own these functions.) This is usually
454+
not an issue for the sorts of functions that are useful in a type
455+
definition. But you might want to think twice before designing a type
456+
in a way that would require <quote>secret</> information to be used
457+
while converting it to or from external form.
458+
</para>
459+
449460
<para>
450461
In <productname>PostgreSQL</productname> versions before 7.3, it
451462
was customary to avoid creating a shell type by replacing the

‎src/backend/commands/typecmds.c‎

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/commands/typecmds.c,v 1.85 2005/11/22 18:17:09 momjian Exp $
11+
* $PostgreSQL: pgsql/src/backend/commands/typecmds.c,v 1.86 2006/01/13 18:06:45 tgl Exp $
1212
*
1313
* DESCRIPTION
1414
* The "DefineFoo" routines take the parse tree and pick out the
@@ -330,6 +330,30 @@ DefineType(List *names, List *parameters)
330330
if (analyzeName)
331331
analyzeOid=findTypeAnalyzeFunction(analyzeName,typoid);
332332

333+
/*
334+
* Check permissions on functions. We choose to require the creator/owner
335+
* of a type to also own the underlying functions. Since creating a type
336+
* is tantamount to granting public execute access on the functions, the
337+
* minimum sane check would be for execute-with-grant-option. But we don't
338+
* have a way to make the type go away if the grant option is revoked, so
339+
* ownership seems better.
340+
*/
341+
if (inputOid&& !pg_proc_ownercheck(inputOid,GetUserId()))
342+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,
343+
NameListToString(inputName));
344+
if (outputOid&& !pg_proc_ownercheck(outputOid,GetUserId()))
345+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,
346+
NameListToString(outputName));
347+
if (receiveOid&& !pg_proc_ownercheck(receiveOid,GetUserId()))
348+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,
349+
NameListToString(receiveName));
350+
if (sendOid&& !pg_proc_ownercheck(sendOid,GetUserId()))
351+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,
352+
NameListToString(sendName));
353+
if (analyzeOid&& !pg_proc_ownercheck(analyzeOid,GetUserId()))
354+
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,
355+
NameListToString(analyzeName));
356+
333357
/*
334358
* now have TypeCreate do all the real work.
335359
*/

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp