NotificationsYou must be signed in to change notification settings
Fork5
Star27

Commit7d6d02b

committed

Document that CREATE OPERATOR CLASS amounts to granting public execute

permissions on the functions and operators contained in the opclass.Since we already require superuser privilege to create an operator class,there's no expansion-of-privilege hazard here, but if someone were to getthe idea of building an opclass containing functions that need securityrestrictions, we'd better warn them off. Also, change the permissionchecks from have-execute-privilege to have-ownership, and then commentthem all out since they're dead code anyway under the superuser restriction.

1 parent1564e92 commit7d6d02bCopy full SHA for 7d6d02b

File tree

2 files changed

+52

-15

lines changed

doc/src/sgml/ref
- create_opclass.sgml
src/backend/commands
- opclasscmds.c

2 files changed

+52

-15

lines changed

`‎doc/src/sgml/ref/create_opclass.sgml‎`

Lines changed: 12 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<!--`
`2`		`-$PostgreSQL: pgsql/doc/src/sgml/ref/create_opclass.sgml,v 1.13 2005/01/14 01:16:52 tgl Exp $`
	`2`	`+$PostgreSQL: pgsql/doc/src/sgml/ref/create_opclass.sgml,v 1.14 2006/01/13 18:10:25 tgl Exp $`
`3`	`3`	`PostgreSQL documentation`
`4`	`4`	`-->`
`5`	`5`
`@@ -59,8 +59,9 @@ CREATE OPERATOR CLASS <replaceable class="parameter">name</replaceable> [ DEFAUL`
`59`	`59`
`60`	`60`	`<para>`
`61`	`61`	`<command>CREATE OPERATOR CLASS</command> does not presently check`
`62`		`- whether the operator class definition includes all the operators and functions`
`63`		`- required by the index method. It is the user's`
	`62`	`+ whether the operator class definition includes all the operators and`
	`63`	`+ functions required by the index method, nor whether the operators and`
	`64`	`+ functions form a self-consistent set. It is the user's`
`64`	`65`	`responsibility to define a valid operator class.`
`65`	`66`	`</para>`
`66`	`67`
`@@ -208,6 +209,14 @@ CREATE OPERATOR CLASS <replaceable class="parameter">name</replaceable> [ DEFAUL`
`208`	`209`	`<refsect1>`
`209`	`210`	`<title>Notes</title>`
`210`	`211`
	`212`	`+ <para>`
	`213`	`+ Because the index machinery does not check access permissions on functions`
	`214`	`+ before using them, including a function or operator in an operator class`
	`215`	`+ is tantamount to granting public execute permission on it. This is usually`
	`216`	`+ not an issue for the sorts of functions that are useful in an operator`
	`217`	`+ class.`
	`218`	`+ </para>`
	`219`	`+`
`211`	`220`	`<para>`
`212`	`221`	`The operators should not be defined by SQL functions. A SQL function`
`213`	`222`	`is likely to be inlined into the calling query, which will prevent`

`‎src/backend/commands/opclasscmds.c‎`

Lines changed: 40 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`	`*`
`10`	`10`	`*`
`11`	`11`	`* IDENTIFICATION`
`12`		`- * $PostgreSQL: pgsql/src/backend/commands/opclasscmds.c,v 1.40 2005/11/22 18:17:09 momjian Exp $`
	`12`	`+ * $PostgreSQL: pgsql/src/backend/commands/opclasscmds.c,v 1.41 2006/01/13 18:10:25 tgl Exp $`
`13`	`13`	`*`
`14`	`14`	`*-------------------------------------------------------------------------`
`15`	`15`	`*/`
`@@ -119,11 +119,24 @@ DefineOpClass(CreateOpClassStmt *stmt)`
`119`	`119`	`ReleaseSysCache(tup);`
`120`	`120`
`121`	`121`	`/*`
	`122`	`+ * The question of appropriate permissions for CREATE OPERATOR CLASS is`
	`123`	`+ * interesting. Creating an opclass is tantamount to granting public`
	`124`	`+ * execute access on the functions involved, since the index machinery`
	`125`	`+ * generally does not check access permission before using the functions.`
	`126`	`+ * A minimum expectation therefore is that the caller have execute`
	`127`	`+ * privilege with grant option. Since we don't have a way to make the`
	`128`	`+ * opclass go away if the grant option is revoked, we choose instead to`
	`129`	`+ * require ownership of the functions. It's also not entirely clear what`
	`130`	`+ * permissions should be required on the datatype, but ownership seems`
	`131`	`+ * like a safe choice.`
	`132`	`+ *`
`122`	`133`	`* Currently, we require superuser privileges to create an opclass. This`
`123`	`134`	`* seems necessary because we have no way to validate that the offered set`
`124`	`135`	`* of operators and functions are consistent with the AM's expectations.`
`125`	`136`	`* It would be nice to provide such a check someday, if it can be done`
`126`	`137`	`* without solving the halting problem :-(`
	`138`	`+ *`
	`139`	`+ * XXX re-enable NOT_USED code sections below if you remove this test.`
`127`	`140`	`*/`
`128`	`141`	`if (!superuser())`
`129`	`142`	`ereport(ERROR,`
`@@ -156,7 +169,6 @@ DefineOpClass(CreateOpClassStmt *stmt)`
`156`	`169`	`OidoperOid;`
`157`	`170`	`OidfuncOid;`
`158`	`171`	`OpClassMember*member;`
`159`		`-AclResultaclresult;`
`160`	`172`
`161`	`173`	`Assert(IsA(item,CreateOpClassItem));`
`162`	`174`	`switch (item->itemtype)`
`@@ -184,13 +196,19 @@ DefineOpClass(CreateOpClassStmt *stmt)`
`184`	`196`	`operOid=LookupOperName(item->name,typeoid,typeoid,`
`185`	`197`	`false);`
`186`	`198`	`}`
`187`		`-/* Caller must have execute permission on operators */`
	`199`	`+`
	`200`	`+#ifdefNOT_USED`
	`201`	`+/* XXX this is unnecessary given the superuser check above */`
	`202`	`+/* Caller must own operator and its underlying function */`
	`203`	`+if (!pg_oper_ownercheck(operOid,GetUserId()))`
	`204`	`+aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_OPER,`
	`205`	`+get_opname(operOid));`
`188`	`206`	`funcOid=get_opcode(operOid);`
`189`		`-aclresult=pg_proc_aclcheck(funcOid,GetUserId(),`
`190`		`-ACL_EXECUTE);`
`191`		`-if (aclresult!=ACLCHECK_OK)`
`192`		`-aclcheck_error(aclresult,ACL_KIND_PROC,`
	`207`	`+if (!pg_proc_ownercheck(funcOid,GetUserId()))`
	`208`	`+aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,`
`193`	`209`	`get_func_name(funcOid));`
	`210`	`+#endif`
	`211`	`+`
`194`	`212`	`/* Save the info */`
`195`	`213`	`member= (OpClassMember*)palloc0(sizeof(OpClassMember));`
`196`	`214`	`member->object=operOid;`
`@@ -208,12 +226,14 @@ DefineOpClass(CreateOpClassStmt *stmt)`
`208`	`226`	`item->number,numProcs)));`
`209`	`227`	`funcOid=LookupFuncNameTypeNames(item->name,item->args,`
`210`	`228`	`false);`
`211`		`-/* Caller must have execute permission on functions */`
`212`		`-aclresult=pg_proc_aclcheck(funcOid,GetUserId(),`
`213`		`-ACL_EXECUTE);`
`214`		`-if (aclresult!=ACLCHECK_OK)`
`215`		`-aclcheck_error(aclresult,ACL_KIND_PROC,`
	`229`	`+#ifdefNOT_USED`
	`230`	`+/* XXX this is unnecessary given the superuser check above */`
	`231`	`+/* Caller must own function */`
	`232`	`+if (!pg_proc_ownercheck(funcOid,GetUserId()))`
	`233`	`+aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,`
`216`	`234`	`get_func_name(funcOid));`
	`235`	`+#endif`
	`236`	`+`
`217`	`237`	`/* Save the info */`
`218`	`238`	`member= (OpClassMember*)palloc0(sizeof(OpClassMember));`
`219`	`239`	`member->object=funcOid;`
`@@ -227,6 +247,14 @@ DefineOpClass(CreateOpClassStmt *stmt)`
`227`	`247`	`(errcode(ERRCODE_INVALID_OBJECT_DEFINITION),`
`228`	`248`	`errmsg("storage type specified more than once")));`
`229`	`249`	`storageoid=typenameTypeId(item->storedtype);`
	`250`	`+`
	`251`	`+#ifdefNOT_USED`
	`252`	`+/* XXX this is unnecessary given the superuser check above */`
	`253`	`+/* Check we have ownership of the datatype */`
	`254`	`+if (!pg_type_ownercheck(storageoid,GetUserId()))`
	`255`	`+aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_TYPE,`
	`256`	`+format_type_be(storageoid));`
	`257`	`+#endif`
`230`	`258`	`break;`
`231`	`259`	`default:`
`232`	`260`	`elog(ERROR,"unrecognized item type: %d",item->itemtype);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7d6d02b

File tree

2 files changed

2 files changed

`‎doc/src/sgml/ref/create_opclass.sgml‎`

`‎src/backend/commands/opclasscmds.c‎`

0 commit comments