NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commit49a08ca

committed

Adjust the permissions required for COMMENT ON ROLE.

Formerly, any member of a role could change the role's comment, as ofcourse could superusers; but holders of CREATEROLE privilege could not,unless they were also members. This led to the odd situation that aCREATEROLE holder could create a role but then could not comment on it.It also seems a bit dubious to let an unprivileged user change his owncomment, let alone those of group roles he belongs to. So, change therule to be "you must be superuser to comment on a superuser role, orhold CREATEROLE to comment on non-superuser roles". This is the sameas the privilege check for creating/dropping roles, and thus fits muchbetter with the rule for other object types, namely that only the ownerof an object can comment on it.In passing, clean up the documentation for COMMENT a little bit.Per complaint from Owen Jacobson and subsequent discussion.

1 parentc290476 commit49a08caCopy full SHA for 49a08ca

File tree

6 files changed

+91

-46

lines changed

doc/src/sgml
- func.sgml
- ref
  - comment.sgml
src
- backend
  - catalog
    - aclchk.c
    - objectaddress.c
  - commands
    - user.c
- include/utils
  - acl.h

6 files changed

+91

-46

lines changed

`‎doc/src/sgml/func.sgml`

Lines changed: 6 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -13588,10 +13588,10 @@ SELECT typlen FROM pg_type WHERE oid = pg_typeof(33);`
`13588`	`13588`	`</table>`
`13589`	`13589`
`13590`	`13590`	`<para>`
`13591`		`- <function>col_description</function> returns the comment for a table column,`
`13592`		`- which is specified by the OID of its table and its column number.`
`13593`		`- <function>obj_description</function> cannot be used for table columns since`
`13594`		`- columns do not have OIDs of their own.`
	`13591`	`+ <function>col_description</function> returns the comment for a table`
	`13592`	`+column,which is specified by the OID of its table and its column number.`
	`13593`	`+(<function>obj_description</function> cannot be used for table columns`
	`13594`	`+sincecolumns do not have OIDs of their own.)`
`13595`	`13595`	`</para>`
`13596`	`13596`
`13597`	`13597`	`<para>`
`@@ -13610,8 +13610,8 @@ SELECT typlen FROM pg_type WHERE oid = pg_typeof(33);`
`13610`	`13610`	`<function>shobj_description</function> is used just like`
`13611`	`13611`	`<function>obj_description</function> except it is used for retrieving`
`13612`	`13612`	`comments on shared objects. Some system catalogs are global to all`
`13613`		`- databases within each cluster andtheir descriptionsare stored globally`
`13614`		`- as well.`
	`13613`	`+ databases within each cluster, andthe descriptionsfor objects in them`
	`13614`	`+are stored globallyas well.`
`13615`	`13615`	`</para>`
`13616`	`13616`
`13617`	`13617`	`<indexterm>`

`‎doc/src/sgml/ref/comment.sgml`

Lines changed: 33 additions & 19 deletions

Original file line number	Diff line number	Diff line change
`@@ -65,11 +65,18 @@ COMMENT ON`
`65`	`65`	`</para>`
`66`	`66`
`67`	`67`	`<para>`
`68`		`- To modify a comment, issue a new <command>COMMENT</> command for the`
`69`		`- same object. Only one comment string is stored for each object.`
`70`		`- To remove a comment, write <literal>NULL</literal> in place of the text`
`71`		`- string.`
`72`		`- Comments are automatically dropped when the object is dropped.`
	`68`	`+ Only one comment string is stored for each object, so to modify a comment,`
	`69`	`+ issue a new <command>COMMENT</> command for the same object. To remove a`
	`70`	`+ comment, write <literal>NULL</literal> in place of the text string.`
	`71`	`+ Comments are automatically dropped when their object is dropped.`
	`72`	`+ </para>`
	`73`	`+`
	`74`	`+ <para>`
	`75`	`+ For most kinds of object, only the object's owner can set the comment.`
	`76`	`+ Roles don't have owners, so the rule for <literal>COMMENT ON ROLE</> is`
	`77`	`+ that you must be superuser to comment on a superuser role, or have the`
	`78`	`+ <literal>CREATEROLE</> privilege to comment on non-superuser roles.`
	`79`	`+ Of course, a superuser can comment on anything.`
`73`	`80`	`</para>`
`74`	`81`
`75`	`82`	`<para>`
`@@ -93,15 +100,15 @@ COMMENT ON`
`93`	`100`	`<term><replaceable class="parameter">agg_name</replaceable></term>`
`94`	`101`	`<term><replaceable class="parameter">constraint_name</replaceable></term>`
`95`	`102`	`<term><replaceable class="parameter">function_name</replaceable></term>`
`96`		`- <term><replaceable class="parameter">op</replaceable></term>`
	`103`	`+ <term><replaceable class="parameter">operator_name</replaceable></term>`
`97`	`104`	`<term><replaceable class="parameter">rule_name</replaceable></term>`
`98`	`105`	`<term><replaceable class="parameter">trigger_name</replaceable></term>`
`99`	`106`	`<listitem>`
`100`	`107`	`<para>`
`101`	`108`	`The name of the object to be commented. Names of tables,`
`102`		`- aggregates, domains, foreign tables, functions, indexes, operators,`
`103`		`- operator classes, operator families, sequences, text search objects,`
`104`		`- types, and views can be schema-qualified.`
	`109`	`+ aggregates,collations, conversions,domains, foreign tables, functions,`
	`110`	`+indexes, operators,operator classes, operator families, sequences,`
	`111`	`+text search objects,types, and views can be schema-qualified.`
`105`	`112`	`</para>`
`106`	`113`	`</listitem>`
`107`	`114`	`</varlistentry>`
`@@ -137,7 +144,6 @@ COMMENT ON`
`137`	`144`
`138`	`145`	`<varlistentry>`
`139`	`146`	`<term><replaceable class="parameter">argmode</replaceable></term>`
`140`		`-`
`141`	`147`	`<listitem>`
`142`	`148`	`<para>`
`143`	`149`	`The mode of a function argument: <literal>IN</>, <literal>OUT</>,`
`@@ -154,7 +160,6 @@ COMMENT ON`
`154`	`160`
`155`	`161`	`<varlistentry>`
`156`	`162`	`<term><replaceable class="parameter">argname</replaceable></term>`
`157`		`-`
`158`	`163`	`<listitem>`
`159`	`164`	`<para>`
`160`	`165`	`The name of a function argument.`
`@@ -167,7 +172,6 @@ COMMENT ON`
`167`	`172`
`168`	`173`	`<varlistentry>`
`169`	`174`	`<term><replaceable class="parameter">argtype</replaceable></term>`
`170`		`-`
`171`	`175`	`<listitem>`
`172`	`176`	`<para>`
`173`	`177`	`The data type(s) of the function's arguments (optionally`
`@@ -185,9 +189,20 @@ COMMENT ON`
`185`	`189`	`</listitem>`
`186`	`190`	`</varlistentry>`
`187`	`191`
	`192`	`+ <varlistentry>`
	`193`	`+ <term><replaceable class="parameter">left_type</replaceable></term>`
	`194`	`+ <term><replaceable class="parameter">right_type</replaceable></term>`
	`195`	`+ <listitem>`
	`196`	`+ <para>`
	`197`	`+ The data type(s) of the operator's arguments (optionally`
	`198`	`+ schema-qualified). Write <literal>NONE</> for the missing argument`
	`199`	`+ of a prefix or postfix operator.`
	`200`	`+ </para>`
	`201`	`+ </listitem>`
	`202`	`+ </varlistentry>`
	`203`	`+`
`188`	`204`	`<varlistentry>`
`189`	`205`	`<term><literal>PROCEDURAL</literal></term>`
`190`		`-`
`191`	`206`	`<listitem>`
`192`	`207`	`<para>`
`193`	`208`	`This is a noise word.`
`@@ -212,12 +227,11 @@ COMMENT ON`
`212`	`227`	`<title>Notes</title>`
`213`	`228`
`214`	`229`	`<para>`
`215`		`- There is presently no security mechanism for comments: any user`
	`230`	`+ There is presently no security mechanism forviewingcomments: any user`
`216`	`231`	`connected to a database can see all the comments for objects in`
`217`		`- that database (although only superusers can change comments for`
`218`		`- objects that they don't own). For shared objects such as`
`219`		`- databases, roles, and tablespaces comments are stored globally`
`220`		`- and any user connected to any database can see all the comments`
	`232`	`+ that database. For shared objects such as`
	`233`	`+ databases, roles, and tablespaces, comments are stored globally so any`
	`234`	`+ user connected to any database in the cluster can see all the comments`
`221`	`235`	`for shared objects. Therefore, don't put security-critical`
`222`	`236`	`information in comments.`
`223`	`237`	`</para>`
`@@ -257,7 +271,7 @@ COMMENT ON INDEX my_index IS 'Enforces uniqueness on employee ID';`
`257`	`271`	`COMMENT ON LANGUAGE plpython IS 'Python support for stored procedures';`
`258`	`272`	`COMMENT ON LARGE OBJECT 346344 IS 'Planning document';`
`259`	`273`	`COMMENT ON OPERATOR ^ (text, text) IS 'Performs intersection of two texts';`
`260`		`-COMMENT ON OPERATOR - (NONE,text) IS 'This is a prefix operator on text';`
	`274`	`+COMMENT ON OPERATOR - (NONE,integer) IS 'Unary minus';`
`261`	`275`	`COMMENT ON OPERATOR CLASS int4ops USING btree IS '4 byte integer operators for btrees';`
`262`	`276`	`COMMENT ON OPERATOR FAMILY integer_ops USING btree IS 'all integer operators for btrees';`
`263`	`277`	`COMMENT ON ROLE my_role IS 'Administration group for finance tables';`

`‎src/backend/catalog/aclchk.c`

Lines changed: 30 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -4735,6 +4735,36 @@ pg_extension_ownercheck(Oid ext_oid, Oid roleid)`
`4735`	`4735`	`returnhas_privs_of_role(roleid,ownerId);`
`4736`	`4736`	`}`
`4737`	`4737`
	`4738`	`+/*`
	`4739`	`+ * Check whether specified role has CREATEROLE privilege (or is a superuser)`
	`4740`	`+ *`
	`4741`	`+ * Note: roles do not have owners per se; instead we use this test in`
	`4742`	`+ * places where an ownership-like permissions test is needed for a role.`
	`4743`	`+ * Be sure to apply it to the role trying to do the operation, not the`
	`4744`	`+ * role being operated on! Also note that this generally should not be`
	`4745`	`+ * considered enough privilege if the target role is a superuser.`
	`4746`	`+ * (We don't handle that consideration here because we want to give a`
	`4747`	`+ * separate error message for such cases, so the caller has to deal with it.)`
	`4748`	`+ */`
	`4749`	`+bool`
	`4750`	`+has_createrole_privilege(Oidroleid)`
	`4751`	`+{`
	`4752`	`+boolresult= false;`
	`4753`	`+HeapTupleutup;`
	`4754`	`+`
	`4755`	`+/* Superusers bypass all permission checking. */`
	`4756`	`+if (superuser_arg(roleid))`
	`4757`	`+return true;`
	`4758`	`+`
	`4759`	`+utup=SearchSysCache1(AUTHOID,ObjectIdGetDatum(roleid));`
	`4760`	`+if (HeapTupleIsValid(utup))`
	`4761`	`+{`
	`4762`	`+result= ((Form_pg_authid)GETSTRUCT(utup))->rolcreaterole;`
	`4763`	`+ReleaseSysCache(utup);`
	`4764`	`+}`
	`4765`	`+returnresult;`
	`4766`	`+}`
	`4767`	`+`
`4738`	`4768`	`/*`
`4739`	`4769`	`* Fetch pg_default_acl entry for given role, namespace and object type`
`4740`	`4770`	`* (object type must be given in pg_default_acl's encoding).`

`‎src/backend/catalog/objectaddress.c`

Lines changed: 20 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -808,13 +808,6 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,`
`808`	`808`	`aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_TABLESPACE,`
`809`	`809`	`NameListToString(objname));`
`810`	`810`	`break;`
`811`		`-caseOBJECT_ROLE:`
`812`		`-if (!has_privs_of_role(roleid,address.objectId))`
`813`		`-ereport(ERROR,`
`814`		`-(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`815`		`-errmsg("must be member of role \"%s\"",`
`816`		`-NameListToString(objname))));`
`817`		`-break;`
`818`	`811`	`caseOBJECT_TSDICTIONARY:`
`819`	`812`	`if (!pg_ts_dict_ownercheck(address.objectId,roleid))`
`820`	`813`	`aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_TSDICTIONARY,`
`@@ -825,6 +818,26 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,`
`825`	`818`	`aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_TSCONFIGURATION,`
`826`	`819`	`NameListToString(objname));`
`827`	`820`	`break;`
	`821`	`+caseOBJECT_ROLE:`
	`822`	`+/*`
	`823`	`+ * We treat roles as being "owned" by those with CREATEROLE priv,`
	`824`	`+ * except that superusers are only owned by superusers.`
	`825`	`+ */`
	`826`	`+if (superuser_arg(address.objectId))`
	`827`	`+{`
	`828`	`+if (!superuser_arg(roleid))`
	`829`	`+ereport(ERROR,`
	`830`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`831`	`+errmsg("must be superuser")));`
	`832`	`+}`
	`833`	`+else`
	`834`	`+{`
	`835`	`+if (!has_createrole_privilege(roleid))`
	`836`	`+ereport(ERROR,`
	`837`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`838`	`+errmsg("must have CREATEROLE privilege")));`
	`839`	`+}`
	`840`	`+break;`
`828`	`841`	`caseOBJECT_FDW:`
`829`	`842`	`caseOBJECT_TSPARSER:`
`830`	`843`	`caseOBJECT_TSTEMPLATE:`

`‎src/backend/commands/user.c`

Lines changed: 1 addition & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -58,20 +58,7 @@ static void DelRoleMems(const char *rolename, Oid roleid,`
`58`	`58`	`staticbool`
`59`	`59`	`have_createrole_privilege(void)`
`60`	`60`	`{`
`61`		`-boolresult= false;`
`62`		`-HeapTupleutup;`
`63`		`-`
`64`		`-/* Superusers can always do everything */`
`65`		`-if (superuser())`
`66`		`-return true;`
`67`		`-`
`68`		`-utup=SearchSysCache1(AUTHOID,ObjectIdGetDatum(GetUserId()));`
`69`		`-if (HeapTupleIsValid(utup))`
`70`		`-{`
`71`		`-result= ((Form_pg_authid)GETSTRUCT(utup))->rolcreaterole;`
`72`		`-ReleaseSysCache(utup);`
`73`		`-}`
`74`		`-returnresult;`
	`61`	`+returnhas_createrole_privilege(GetUserId());`
`75`	`62`	`}`
`76`	`63`
`77`	`64`

`‎src/include/utils/acl.h`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -317,5 +317,6 @@ extern bool pg_ts_dict_ownercheck(Oid dict_oid, Oid roleid);`
`317`	`317`	`externboolpg_ts_config_ownercheck(Oidcfg_oid,Oidroleid);`
`318`	`318`	`externboolpg_foreign_server_ownercheck(Oidsrv_oid,Oidroleid);`
`319`	`319`	`externboolpg_extension_ownercheck(Oidext_oid,Oidroleid);`
	`320`	`+externboolhas_createrole_privilege(Oidroleid);`
`320`	`321`
`321`	`322`	`#endif/* ACL_H */`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit49a08ca

File tree

6 files changed

6 files changed

`‎doc/src/sgml/func.sgml`

`‎doc/src/sgml/ref/comment.sgml`

`‎src/backend/catalog/aclchk.c`

`‎src/backend/catalog/objectaddress.c`

`‎src/backend/commands/user.c`

`‎src/include/utils/acl.h`

0 commit comments