Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc3d8de0

Browse files
committed
Disregard superuserness when checking to see if a role GRANT would
create circularity of role memberships. This is a minimum-impact fixfor the problem reported by Florian Pflug. I thought about removingthe superuser_arg test from is_member_of_role() altogether, as it seemsredundant for many of the callers --- but not all, and it's way too latein the 8.1 cycle to be making large changes. Perhaps reconsider thislater.
1 parente47ea05 commitc3d8de0

File tree

3 files changed

+27
-5
lines changed

3 files changed

+27
-5
lines changed

‎src/backend/commands/user.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
77
* Portions Copyright (c) 1994, Regents of the University of California
88
*
9-
* $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.163 2005/10/29 00:31:51 petere Exp $
9+
* $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.164 2005/11/04 17:25:15 tgl Exp $
1010
*
1111
*-------------------------------------------------------------------------
1212
*/
@@ -1214,9 +1214,10 @@ AddRoleMems(const char *rolename, Oid roleid,
12141214
* Refuse creation of membership loops, including the trivial case
12151215
* where a role is made a member of itself. We do this by checking to
12161216
* see if the target role is already a member of the proposed member
1217-
* role.
1217+
* role. We have to ignore possible superuserness, however, else we
1218+
* could never grant membership in a superuser-privileged role.
12181219
*/
1219-
if (is_member_of_role(roleid,memberid))
1220+
if (is_member_of_role_nosuper(roleid,memberid))
12201221
ereport(ERROR,
12211222
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
12221223
(errmsg("role \"%s\" is a member of role \"%s\"",

‎src/backend/utils/adt/acl.c

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.126 2005/10/15 02:49:27 momjian Exp $
11+
* $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.127 2005/11/04 17:25:15 tgl Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -3067,6 +3067,26 @@ check_is_member_of_role(Oid member, Oid role)
30673067
GetUserNameFromId(role))));
30683068
}
30693069

3070+
/*
3071+
* Is member a member of role, not considering superuserness?
3072+
*
3073+
* This is identical to is_member_of_role except we ignore superuser
3074+
* status.
3075+
*/
3076+
bool
3077+
is_member_of_role_nosuper(Oidmember,Oidrole)
3078+
{
3079+
/* Fast path for simple case */
3080+
if (member==role)
3081+
return true;
3082+
3083+
/*
3084+
* Find all the roles that member is a member of, including multi-level
3085+
* recursion, then see if target role is any one of them.
3086+
*/
3087+
returnlist_member_oid(roles_is_member_of(member),role);
3088+
}
3089+
30703090

30713091
/*
30723092
* Is member an admin of role (directly or indirectly)? That is, is it

‎src/include/utils/acl.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
88
* Portions Copyright (c) 1994, Regents of the University of California
99
*
10-
* $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.85 2005/10/15 02:49:46 momjian Exp $
10+
* $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.86 2005/11/04 17:25:15 tgl Exp $
1111
*
1212
* NOTES
1313
* An ACL array is simply an array of AclItems, representing the union
@@ -212,6 +212,7 @@ extern intaclmembers(const Acl *acl, Oid **roleids);
212212

213213
externboolhas_privs_of_role(Oidmember,Oidrole);
214214
externboolis_member_of_role(Oidmember,Oidrole);
215+
externboolis_member_of_role_nosuper(Oidmember,Oidrole);
215216
externboolis_admin_of_role(Oidmember,Oidrole);
216217
externvoidcheck_is_member_of_role(Oidmember,Oidrole);
217218

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp