database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-05-21 15:54:08 +03:00
Code

Fix bugs in manipulation of large objects.

Browse Source 
In v16 and up (since commit afbfc0298), large object ownership
checking has been broken because object_ownercheck() didn't take care
of the discrepancy between our object-address representation of large
objects (classId == LargeObjectRelationId) and the catalog where their
ownership info is actually stored (LargeObjectMetadataRelationId).
This resulted in failures such as "unrecognized class ID: 2613"
when trying to update blob properties as a non-superuser.

Poking around for related bugs, I found that AlterObjectOwner_internal
would pass the wrong classId to the PostAlterHook in the no-op code
path where the large object already has the desired owner.  Also,
recordExtObjInitPriv checked for the wrong classId; that bug is only
latent because the stanza is dead code anyway, but as long as we're
carrying it around it should be less wrong.  These bugs are quite old.

In HEAD, we can reduce the scope for future bugs of this ilk by
changing AlterObjectOwner_internal's API to let the translation happen
inside that function, rather than requiring callers to know about it.

A more bulletproof fix, perhaps, would be to start using
LargeObjectMetadataRelationId as the dependency and object-address
classId for blobs.  However that has substantial risk of breaking
third-party code; even within our own code, it'd create hassles
for pg_dump which would have to cope with a version-dependent
representation.  For now, keep the status quo.

Discussion: https://postgr.es/m/2650449.1702497209@sss.pgh.pa.us
This commit is contained in:
Tom Lane 2023-12-15 13:55:05 -05:00
parent db69101a1d
commit 152bfc0af8
8 changed files with 50 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/backend/catalog/aclchk.c
View File

@ -3967,9 +3967,14 @@ object_ownercheck(Oid classid, Oid objectid, Oid roleid)
if (superuser_arg(roleid)) if (superuser_arg(roleid))
return true; return true;
/* For large objects, the catalog to consult is pg_largeobject_metadata */
if (classid == LargeObjectRelationId)
classid = LargeObjectMetadataRelationId;
cacheid = get_object_catcache_oid(classid); cacheid = get_object_catcache_oid(classid);
if (cacheid != -1) if (cacheid != -1)
{ {
/* we can get the object's tuple from the syscache */
HeapTuple tuple; HeapTuple tuple;
tuple = SearchSysCache1(cacheid, ObjectIdGetDatum(objectid)); tuple = SearchSysCache1(cacheid, ObjectIdGetDatum(objectid));
@ -3986,7 +3991,6 @@ object_ownercheck(Oid classid, Oid objectid, Oid roleid)
else else
{ {
/* for catalogs without an appropriate syscache */ /* for catalogs without an appropriate syscache */
Relation rel; Relation rel;
ScanKeyData entry[1]; ScanKeyData entry[1];
SysScanDesc scan; SysScanDesc scan;
@ -4306,9 +4310,9 @@ recordExtObjInitPriv(Oid objoid, Oid classoid)
ReleaseSysCache(tuple); ReleaseSysCache(tuple);
} }
/* pg_largeobject_metadata */ else if (classoid == LargeObjectRelationId)
else if (classoid == LargeObjectMetadataRelationId)
{ {
/* For large objects, we must consult pg_largeobject_metadata */
Datum aclDatum; Datum aclDatum;
bool isNull; bool isNull;
HeapTuple tuple; HeapTuple tuple;

4
src/backend/catalog/pg_shdepend.c
View File

@ -1618,6 +1618,10 @@ shdepReassignOwned(List *roleids, Oid newrole)
Oid classId = sdepForm->classid; Oid classId = sdepForm->classid;
Relation catalog; Relation catalog;
/*
* For large objects, the catalog to modify is
* pg_largeobject_metadata
*/
if (classId == LargeObjectRelationId) if (classId == LargeObjectRelationId)
classId = LargeObjectMetadataRelationId; classId = LargeObjectMetadataRelationId;

22
src/backend/commands/alter.c
View File

@ -929,9 +929,8 @@ ExecAlterOwnerStmt(AlterOwnerStmt *stmt)
classId = address.classId; classId = address.classId;
/* /*
* XXX - get_object_address returns Oid of pg_largeobject * For large objects, the catalog to modify is
* catalog for OBJECT_LARGEOBJECT because of historical * pg_largeobject_metadata
* reasons. Fix up it here.
*/ */
if (classId == LargeObjectRelationId) if (classId == LargeObjectRelationId)
classId = LargeObjectMetadataRelationId; classId = LargeObjectMetadataRelationId;
@ -1075,9 +1074,14 @@ AlterObjectOwner_internal(Relation rel, Oid objectId, Oid new_ownerId)
/* Perform actual update */ /* Perform actual update */
CatalogTupleUpdate(rel, &newtup->t_self, newtup); CatalogTupleUpdate(rel, &newtup->t_self, newtup);
/* Update owner dependency reference */ /*
* Update owner dependency reference. When working on a large object,
* we have to translate back to the OID conventionally used for LOs'
* classId.
*/
if (classId == LargeObjectMetadataRelationId) if (classId == LargeObjectMetadataRelationId)
classId = LargeObjectRelationId; classId = LargeObjectRelationId;
changeDependencyOnOwner(classId, objectId, new_ownerId); changeDependencyOnOwner(classId, objectId, new_ownerId);
/* Release memory */ /* Release memory */
@ -1085,6 +1089,16 @@ AlterObjectOwner_internal(Relation rel, Oid objectId, Oid new_ownerId)
pfree(nulls); pfree(nulls);
pfree(replaces); pfree(replaces);
} }
else
{
/*
* No need to change anything. But when working on a large object, we
* have to translate back to the OID conventionally used for LOs'
* classId, or the post-alter hook (if any) will get confused.
*/
if (classId == LargeObjectMetadataRelationId)
classId = LargeObjectRelationId;
}
InvokeObjectPostAlterHook(classId, objectId, 0); InvokeObjectPostAlterHook(classId, objectId, 0);
} }

4
src/backend/libpq/be-fsstubs.c
View File

@ -43,7 +43,7 @@
#include <unistd.h> #include <unistd.h>
#include "access/xact.h" #include "access/xact.h"
#include "catalog/pg_largeobject_metadata.h" #include "catalog/pg_largeobject.h"
#include "libpq/be-fsstubs.h" #include "libpq/be-fsstubs.h"
#include "libpq/libpq-fs.h" #include "libpq/libpq-fs.h"
#include "miscadmin.h" #include "miscadmin.h"
@ -323,7 +323,7 @@ be_lo_unlink(PG_FUNCTION_ARGS)
* relevant FDs. * relevant FDs.
*/ */
if (!lo_compat_privileges && if (!lo_compat_privileges &&
!object_ownercheck(LargeObjectMetadataRelationId, lobjId, GetUserId())) !object_ownercheck(LargeObjectRelationId, lobjId, GetUserId()))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be owner of large object %u", lobjId))); errmsg("must be owner of large object %u", lobjId)));

9
src/backend/storage/large_object/inv_api.c
View File

@ -221,11 +221,10 @@ inv_create(Oid lobjId)
/* /*
* dependency on the owner of largeobject * dependency on the owner of largeobject
* *
* The reason why we use LargeObjectRelationId instead of * Note that LO dependencies are recorded using classId
* LargeObjectMetadataRelationId here is to provide backward compatibility * LargeObjectRelationId for backwards-compatibility reasons. Using
* to the applications which utilize a knowledge about internal layout of * LargeObjectMetadataRelationId instead would simplify matters for the
* system catalogs. OID of pg_largeobject_metadata and loid of * backend, but it'd complicate pg_dump and possibly break other clients.
* pg_largeobject are same value, so there are no actual differences here.
*/ */
recordDependencyOnOwner(LargeObjectRelationId, recordDependencyOnOwner(LargeObjectRelationId,
lobjId_new, GetUserId()); lobjId_new, GetUserId());

5
src/test/regress/expected/largeobject.out
View File

@ -6,7 +6,7 @@
\getenv abs_builddir PG_ABS_BUILDDIR \getenv abs_builddir PG_ABS_BUILDDIR
-- ensure consistent test output regardless of the default bytea format -- ensure consistent test output regardless of the default bytea format
SET bytea_output TO escape; SET bytea_output TO escape;
-- Test ALTER LARGE OBJECT OWNER, GRANT, COMMENT -- Test ALTER LARGE OBJECT OWNER
CREATE ROLE regress_lo_user; CREATE ROLE regress_lo_user;
SELECT lo_create(42); SELECT lo_create(42);
lo_create lo_create
@ -15,8 +15,11 @@ SELECT lo_create(42);
(1 row) (1 row)
ALTER LARGE OBJECT 42 OWNER TO regress_lo_user; ALTER LARGE OBJECT 42 OWNER TO regress_lo_user;
-- Test GRANT, COMMENT as non-superuser
SET SESSION AUTHORIZATION regress_lo_user;
GRANT SELECT ON LARGE OBJECT 42 TO public; GRANT SELECT ON LARGE OBJECT 42 TO public;
COMMENT ON LARGE OBJECT 42 IS 'the ultimate answer'; COMMENT ON LARGE OBJECT 42 IS 'the ultimate answer';
RESET SESSION AUTHORIZATION;
-- Test psql's \lo_list et al (we assume no other LOs exist yet) -- Test psql's \lo_list et al (we assume no other LOs exist yet)
\lo_list \lo_list
Large objects Large objects

5
src/test/regress/expected/largeobject_1.out
View File

@ -6,7 +6,7 @@
\getenv abs_builddir PG_ABS_BUILDDIR \getenv abs_builddir PG_ABS_BUILDDIR
-- ensure consistent test output regardless of the default bytea format -- ensure consistent test output regardless of the default bytea format
SET bytea_output TO escape; SET bytea_output TO escape;
-- Test ALTER LARGE OBJECT OWNER, GRANT, COMMENT -- Test ALTER LARGE OBJECT OWNER
CREATE ROLE regress_lo_user; CREATE ROLE regress_lo_user;
SELECT lo_create(42); SELECT lo_create(42);
lo_create lo_create
@ -15,8 +15,11 @@ SELECT lo_create(42);
(1 row) (1 row)
ALTER LARGE OBJECT 42 OWNER TO regress_lo_user; ALTER LARGE OBJECT 42 OWNER TO regress_lo_user;
-- Test GRANT, COMMENT as non-superuser
SET SESSION AUTHORIZATION regress_lo_user;
GRANT SELECT ON LARGE OBJECT 42 TO public; GRANT SELECT ON LARGE OBJECT 42 TO public;
COMMENT ON LARGE OBJECT 42 IS 'the ultimate answer'; COMMENT ON LARGE OBJECT 42 IS 'the ultimate answer';
RESET SESSION AUTHORIZATION;
-- Test psql's \lo_list et al (we assume no other LOs exist yet) -- Test psql's \lo_list et al (we assume no other LOs exist yet)
\lo_list \lo_list
Large objects Large objects

8
src/test/regress/sql/largeobject.sql
View File

@ -9,13 +9,19 @@
-- ensure consistent test output regardless of the default bytea format -- ensure consistent test output regardless of the default bytea format
SET bytea_output TO escape; SET bytea_output TO escape;
-- Test ALTER LARGE OBJECT OWNER, GRANT, COMMENT -- Test ALTER LARGE OBJECT OWNER
CREATE ROLE regress_lo_user; CREATE ROLE regress_lo_user;
SELECT lo_create(42); SELECT lo_create(42);
ALTER LARGE OBJECT 42 OWNER TO regress_lo_user; ALTER LARGE OBJECT 42 OWNER TO regress_lo_user;
-- Test GRANT, COMMENT as non-superuser
SET SESSION AUTHORIZATION regress_lo_user;
GRANT SELECT ON LARGE OBJECT 42 TO public; GRANT SELECT ON LARGE OBJECT 42 TO public;
COMMENT ON LARGE OBJECT 42 IS 'the ultimate answer'; COMMENT ON LARGE OBJECT 42 IS 'the ultimate answer';
RESET SESSION AUTHORIZATION;
-- Test psql's \lo_list et al (we assume no other LOs exist yet) -- Test psql's \lo_list et al (we assume no other LOs exist yet)
\lo_list \lo_list
\lo_list+ \lo_list+