Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commit49a08ca

Browse files
committed
Adjust the permissions required for COMMENT ON ROLE.
Formerly, any member of a role could change the role's comment, as ofcourse could superusers; but holders of CREATEROLE privilege could not,unless they were also members. This led to the odd situation that aCREATEROLE holder could create a role but then could not comment on it.It also seems a bit dubious to let an unprivileged user change his owncomment, let alone those of group roles he belongs to. So, change therule to be "you must be superuser to comment on a superuser role, orhold CREATEROLE to comment on non-superuser roles". This is the sameas the privilege check for creating/dropping roles, and thus fits muchbetter with the rule for other object types, namely that only the ownerof an object can comment on it.In passing, clean up the documentation for COMMENT a little bit.Per complaint from Owen Jacobson and subsequent discussion.
1 parentc290476 commit49a08ca

File tree

6 files changed

+91
-46
lines changed

6 files changed

+91
-46
lines changed

‎doc/src/sgml/func.sgml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -13588,10 +13588,10 @@ SELECT typlen FROM pg_type WHERE oid = pg_typeof(33);
1358813588
</table>
1358913589

1359013590
<para>
13591-
<function>col_description</function> returns the comment for a table column,
13592-
which is specified by the OID of its table and its column number.
13593-
<function>obj_description</function> cannot be used for table columns since
13594-
columns do not have OIDs of their own.
13591+
<function>col_description</function> returns the comment for a table
13592+
column,which is specified by the OID of its table and its column number.
13593+
(<function>obj_description</function> cannot be used for table columns
13594+
sincecolumns do not have OIDs of their own.)
1359513595
</para>
1359613596

1359713597
<para>
@@ -13610,8 +13610,8 @@ SELECT typlen FROM pg_type WHERE oid = pg_typeof(33);
1361013610
<function>shobj_description</function> is used just like
1361113611
<function>obj_description</function> except it is used for retrieving
1361213612
comments on shared objects. Some system catalogs are global to all
13613-
databases within each cluster andtheir descriptionsare stored globally
13614-
as well.
13613+
databases within each cluster, andthe descriptionsfor objects in them
13614+
are stored globallyas well.
1361513615
</para>
1361613616

1361713617
<indexterm>

‎doc/src/sgml/ref/comment.sgml

Lines changed: 33 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -65,11 +65,18 @@ COMMENT ON
6565
</para>
6666

6767
<para>
68-
To modify a comment, issue a new <command>COMMENT</> command for the
69-
same object. Only one comment string is stored for each object.
70-
To remove a comment, write <literal>NULL</literal> in place of the text
71-
string.
72-
Comments are automatically dropped when the object is dropped.
68+
Only one comment string is stored for each object, so to modify a comment,
69+
issue a new <command>COMMENT</> command for the same object. To remove a
70+
comment, write <literal>NULL</literal> in place of the text string.
71+
Comments are automatically dropped when their object is dropped.
72+
</para>
73+
74+
<para>
75+
For most kinds of object, only the object's owner can set the comment.
76+
Roles don't have owners, so the rule for <literal>COMMENT ON ROLE</> is
77+
that you must be superuser to comment on a superuser role, or have the
78+
<literal>CREATEROLE</> privilege to comment on non-superuser roles.
79+
Of course, a superuser can comment on anything.
7380
</para>
7481

7582
<para>
@@ -93,15 +100,15 @@ COMMENT ON
93100
<term><replaceable class="parameter">agg_name</replaceable></term>
94101
<term><replaceable class="parameter">constraint_name</replaceable></term>
95102
<term><replaceable class="parameter">function_name</replaceable></term>
96-
<term><replaceable class="parameter">op</replaceable></term>
103+
<term><replaceable class="parameter">operator_name</replaceable></term>
97104
<term><replaceable class="parameter">rule_name</replaceable></term>
98105
<term><replaceable class="parameter">trigger_name</replaceable></term>
99106
<listitem>
100107
<para>
101108
The name of the object to be commented. Names of tables,
102-
aggregates, domains, foreign tables, functions, indexes, operators,
103-
operator classes, operator families, sequences, text search objects,
104-
types, and views can be schema-qualified.
109+
aggregates,collations, conversions,domains, foreign tables, functions,
110+
indexes, operators,operator classes, operator families, sequences,
111+
text search objects,types, and views can be schema-qualified.
105112
</para>
106113
</listitem>
107114
</varlistentry>
@@ -137,7 +144,6 @@ COMMENT ON
137144

138145
<varlistentry>
139146
<term><replaceable class="parameter">argmode</replaceable></term>
140-
141147
<listitem>
142148
<para>
143149
The mode of a function argument: <literal>IN</>, <literal>OUT</>,
@@ -154,7 +160,6 @@ COMMENT ON
154160

155161
<varlistentry>
156162
<term><replaceable class="parameter">argname</replaceable></term>
157-
158163
<listitem>
159164
<para>
160165
The name of a function argument.
@@ -167,7 +172,6 @@ COMMENT ON
167172

168173
<varlistentry>
169174
<term><replaceable class="parameter">argtype</replaceable></term>
170-
171175
<listitem>
172176
<para>
173177
The data type(s) of the function's arguments (optionally
@@ -185,9 +189,20 @@ COMMENT ON
185189
</listitem>
186190
</varlistentry>
187191

192+
<varlistentry>
193+
<term><replaceable class="parameter">left_type</replaceable></term>
194+
<term><replaceable class="parameter">right_type</replaceable></term>
195+
<listitem>
196+
<para>
197+
The data type(s) of the operator's arguments (optionally
198+
schema-qualified). Write <literal>NONE</> for the missing argument
199+
of a prefix or postfix operator.
200+
</para>
201+
</listitem>
202+
</varlistentry>
203+
188204
<varlistentry>
189205
<term><literal>PROCEDURAL</literal></term>
190-
191206
<listitem>
192207
<para>
193208
This is a noise word.
@@ -212,12 +227,11 @@ COMMENT ON
212227
<title>Notes</title>
213228

214229
<para>
215-
There is presently no security mechanism for comments: any user
230+
There is presently no security mechanism forviewingcomments: any user
216231
connected to a database can see all the comments for objects in
217-
that database (although only superusers can change comments for
218-
objects that they don't own). For shared objects such as
219-
databases, roles, and tablespaces comments are stored globally
220-
and any user connected to any database can see all the comments
232+
that database. For shared objects such as
233+
databases, roles, and tablespaces, comments are stored globally so any
234+
user connected to any database in the cluster can see all the comments
221235
for shared objects. Therefore, don't put security-critical
222236
information in comments.
223237
</para>
@@ -257,7 +271,7 @@ COMMENT ON INDEX my_index IS 'Enforces uniqueness on employee ID';
257271
COMMENT ON LANGUAGE plpython IS 'Python support for stored procedures';
258272
COMMENT ON LARGE OBJECT 346344 IS 'Planning document';
259273
COMMENT ON OPERATOR ^ (text, text) IS 'Performs intersection of two texts';
260-
COMMENT ON OPERATOR - (NONE,text) IS 'This is a prefix operator on text';
274+
COMMENT ON OPERATOR - (NONE,integer) IS 'Unary minus';
261275
COMMENT ON OPERATOR CLASS int4ops USING btree IS '4 byte integer operators for btrees';
262276
COMMENT ON OPERATOR FAMILY integer_ops USING btree IS 'all integer operators for btrees';
263277
COMMENT ON ROLE my_role IS 'Administration group for finance tables';

‎src/backend/catalog/aclchk.c

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4735,6 +4735,36 @@ pg_extension_ownercheck(Oid ext_oid, Oid roleid)
47354735
returnhas_privs_of_role(roleid,ownerId);
47364736
}
47374737

4738+
/*
4739+
* Check whether specified role has CREATEROLE privilege (or is a superuser)
4740+
*
4741+
* Note: roles do not have owners per se; instead we use this test in
4742+
* places where an ownership-like permissions test is needed for a role.
4743+
* Be sure to apply it to the role trying to do the operation, not the
4744+
* role being operated on! Also note that this generally should not be
4745+
* considered enough privilege if the target role is a superuser.
4746+
* (We don't handle that consideration here because we want to give a
4747+
* separate error message for such cases, so the caller has to deal with it.)
4748+
*/
4749+
bool
4750+
has_createrole_privilege(Oidroleid)
4751+
{
4752+
boolresult= false;
4753+
HeapTupleutup;
4754+
4755+
/* Superusers bypass all permission checking. */
4756+
if (superuser_arg(roleid))
4757+
return true;
4758+
4759+
utup=SearchSysCache1(AUTHOID,ObjectIdGetDatum(roleid));
4760+
if (HeapTupleIsValid(utup))
4761+
{
4762+
result= ((Form_pg_authid)GETSTRUCT(utup))->rolcreaterole;
4763+
ReleaseSysCache(utup);
4764+
}
4765+
returnresult;
4766+
}
4767+
47384768
/*
47394769
* Fetch pg_default_acl entry for given role, namespace and object type
47404770
* (object type must be given in pg_default_acl's encoding).

‎src/backend/catalog/objectaddress.c

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -808,13 +808,6 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
808808
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_TABLESPACE,
809809
NameListToString(objname));
810810
break;
811-
caseOBJECT_ROLE:
812-
if (!has_privs_of_role(roleid,address.objectId))
813-
ereport(ERROR,
814-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
815-
errmsg("must be member of role \"%s\"",
816-
NameListToString(objname))));
817-
break;
818811
caseOBJECT_TSDICTIONARY:
819812
if (!pg_ts_dict_ownercheck(address.objectId,roleid))
820813
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_TSDICTIONARY,
@@ -825,6 +818,26 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
825818
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_TSCONFIGURATION,
826819
NameListToString(objname));
827820
break;
821+
caseOBJECT_ROLE:
822+
/*
823+
* We treat roles as being "owned" by those with CREATEROLE priv,
824+
* except that superusers are only owned by superusers.
825+
*/
826+
if (superuser_arg(address.objectId))
827+
{
828+
if (!superuser_arg(roleid))
829+
ereport(ERROR,
830+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
831+
errmsg("must be superuser")));
832+
}
833+
else
834+
{
835+
if (!has_createrole_privilege(roleid))
836+
ereport(ERROR,
837+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
838+
errmsg("must have CREATEROLE privilege")));
839+
}
840+
break;
828841
caseOBJECT_FDW:
829842
caseOBJECT_TSPARSER:
830843
caseOBJECT_TSTEMPLATE:

‎src/backend/commands/user.c

Lines changed: 1 addition & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -58,20 +58,7 @@ static void DelRoleMems(const char *rolename, Oid roleid,
5858
staticbool
5959
have_createrole_privilege(void)
6060
{
61-
boolresult= false;
62-
HeapTupleutup;
63-
64-
/* Superusers can always do everything */
65-
if (superuser())
66-
return true;
67-
68-
utup=SearchSysCache1(AUTHOID,ObjectIdGetDatum(GetUserId()));
69-
if (HeapTupleIsValid(utup))
70-
{
71-
result= ((Form_pg_authid)GETSTRUCT(utup))->rolcreaterole;
72-
ReleaseSysCache(utup);
73-
}
74-
returnresult;
61+
returnhas_createrole_privilege(GetUserId());
7562
}
7663

7764

‎src/include/utils/acl.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -317,5 +317,6 @@ extern bool pg_ts_dict_ownercheck(Oid dict_oid, Oid roleid);
317317
externboolpg_ts_config_ownercheck(Oidcfg_oid,Oidroleid);
318318
externboolpg_foreign_server_ownercheck(Oidsrv_oid,Oidroleid);
319319
externboolpg_extension_ownercheck(Oidext_oid,Oidroleid);
320+
externboolhas_createrole_privilege(Oidroleid);
320321

321322
#endif/* ACL_H */

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp