Use has_privs_for_roles for predefined role checks

Generally if a role is granted membership to another role with NOINHERIT they must use SET ROLE to access the privileges of that role, however with predefined roles the membership and privilege is conflated. Fix that by replacing is_member_of_role with has_privs_for_role for predefined roles. Patch does not remove is_member_of_role from acl.h, but it does add a warning not to use that function for privilege checking. Not backpatched based on hackers list discussion. Author: Joshua Brindle Reviewed-by: Stephen Frost, Nathan Bossart, Joe Conway Discussion: https://postgr.es/m/flat/CAGB+Vh4Zv_TvKt2tv3QNS6tUM_F_9icmuj0zjywwcgVi4PAhFA@mail.gmail.com
2025-08-08 06:02:22 +03:00 · 2022-03-28 15:10:04 -04:00
parent 79de9842ab
commit 6198420ad8
23 changed files with 68 additions and 64 deletions
--- a/doc/src/sgml/adminpack.sgml
+++ b/doc/src/sgml/adminpack.sgml
@@ -22,9 +22,9 @@
  functions in <xref linkend="functions-admin-genfile-table"/>, which
  provide read-only access.)
  Only files within the database cluster directory can be accessed, unless the
-  user is a superuser or given one of the pg_read_server_files, or pg_write_server_files
-  roles, as appropriate for the function, but either a relative or absolute path is
-  allowable.
+  user is a superuser or given privileges of one of the pg_read_server_files, 
+  or pg_write_server_files roles, as appropriate for the function, but either a
+  relative or absolute path is allowable.
 </para>

 <table id="functions-adminpack-table">
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -10044,8 +10044,8 @@ SCRAM-SHA-256$<replaceable>&lt;iteration count&gt;</replaceable>:<replaceable>&l

  <para>
   By default, the <structname>pg_backend_memory_contexts</structname> view can be
-   read only by superusers or members of the <literal>pg_read_all_stats</literal>
-   role.
+   read only by superusers or roles with the privileges of the
+   <literal>pg_read_all_stats</literal> role.
  </para>
 </sect1>

@@ -12552,7 +12552,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
      <para>
       Configuration file the current value was set in (null for
       values set from sources other than configuration files, or when
-       examined by a user who is neither a superuser or a member of
+       examined by a user who neither is a superuser nor has privileges of
       <literal>pg_read_all_settings</literal>); helpful when using
       <literal>include</literal> directives in configuration files
      </para></entry>
@@ -12565,7 +12565,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
      <para>
       Line number within the configuration file the current value was
       set at (null for values set from sources other than configuration files,
-       or when examined by a user who is neither a superuser or a member of
+       or when examined by a user who neither is a superuser nor has privileges of
       <literal>pg_read_all_settings</literal>).
      </para></entry>
     </row>
@@ -12941,8 +12941,8 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx

  <para>
   By default, the <structname>pg_shmem_allocations</structname> view can be
-   read only by superusers or members of the <literal>pg_read_all_stats</literal>
-   role.
+   read only by superusers or roles with privileges of the
+   <literal>pg_read_all_stats</literal> role.
  </para>
 </sect1>

--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -25435,7 +25435,7 @@ SELECT collation for ('foo' COLLATE "de_DE");
        Cancels the current query of the session whose backend process has the
        specified process ID.  This is also allowed if the
        calling role is a member of the role whose backend is being canceled or
-        the calling role has been granted <literal>pg_signal_backend</literal>,
+        the calling role has privileges of <literal>pg_signal_backend</literal>,
        however only superusers can cancel superuser backends.
       </para></entry>
      </row>
@@ -25508,7 +25508,7 @@ SELECT collation for ('foo' COLLATE "de_DE");
        Terminates the session whose backend process has the
        specified process ID.  This is also allowed if the calling role
        is a member of the role whose backend is being terminated or the
-        calling role has been granted <literal>pg_signal_backend</literal>,
+        calling role has privileges of <literal>pg_signal_backend</literal>,
        however only superusers can terminate superuser backends.
       </para>
       <para>
@@ -26783,7 +26783,7 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
        Computes the total disk space used by the database with the specified
        name or OID.  To use this function, you must
        have <literal>CONNECT</literal> privilege on the specified database
-        (which is granted by default) or be a member of
+        (which is granted by default) or have privileges of
        the <literal>pg_read_all_stats</literal> role.
       </para></entry>
      </row>
@@ -26913,7 +26913,7 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
        Computes the total disk space used in the tablespace with the
        specified name or OID. To use this function, you must
        have <literal>CREATE</literal> privilege on the specified tablespace
-        or be a member of the <literal>pg_read_all_stats</literal> role,
+        or have privileges of the <literal>pg_read_all_stats</literal> role,
        unless it is the default tablespace for the current database.
       </para></entry>
      </row>
@@ -27392,7 +27392,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size
        a dot, directories, and other special files are excluded.
       </para>
       <para>
-        This function is restricted to superusers and members of
+        This function is restricted to superusers and roles with privileges of
        the <literal>pg_monitor</literal> role by default, but other users can
        be granted EXECUTE to run the function.
       </para></entry>
@@ -27416,7 +27416,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size
        are excluded.
       </para>
       <para>
-        This function is restricted to superusers and members of
+        This function is restricted to superusers and roles with privileges of 
        the <literal>pg_monitor</literal> role by default, but other users can
        be granted EXECUTE to run the function.
       </para></entry>
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -280,7 +280,7 @@ postgres   27093  0.0  0.0  30096  2752 ?        Ss   11:34   0:00 postgres: ser
   (sessions belonging to a role that they are a member of).  In rows about
   other sessions, many columns will be null.  Note, however, that the
   existence of a session and its general properties such as its sessions user
-   and database are visible to all users.  Superusers and members of the
+   and database are visible to all users.  Superusers and roles with privileges of
   built-in role <literal>pg_read_all_stats</literal> (see also <xref
   linkend="predefined-roles"/>) can see all the information about all sessions.
  </para>
--- a/doc/src/sgml/pgbuffercache.sgml
+++ b/doc/src/sgml/pgbuffercache.sgml
@@ -24,7 +24,7 @@
 </para>

 <para>
-  By default, use is restricted to superusers and members of the
+  By default, use is restricted to superusers and roles with privileges of the
  <literal>pg_monitor</literal> role. Access may be granted to others
  using <command>GRANT</command>.
 </para>
--- a/doc/src/sgml/pgfreespacemap.sgml
+++ b/doc/src/sgml/pgfreespacemap.sgml
@@ -16,7 +16,7 @@
 </para>

 <para>
-  By default use is restricted to superusers and members of the
+  By default use is restricted to superusers and roles with privileges of the
  <literal>pg_stat_scan_tables</literal> role. Access may be granted to others
  using <command>GRANT</command>.
 </para>
--- a/doc/src/sgml/pgrowlocks.sgml
+++ b/doc/src/sgml/pgrowlocks.sgml
@@ -13,7 +13,7 @@
 </para>

 <para>
-  By default use is restricted to superusers, members of the
+  By default use is restricted to superusers, roles with privileges of the
  <literal>pg_stat_scan_tables</literal> role, and users with
  <literal>SELECT</literal> permissions on the table.
 </para>
--- a/doc/src/sgml/pgstatstatements.sgml
+++ b/doc/src/sgml/pgstatstatements.sgml
@@ -384,7 +384,7 @@
  </table>

  <para>
-   For security reasons, only superusers and members of the
+   For security reasons, only superusers and roles with privileges of the
   <literal>pg_read_all_stats</literal> role are allowed to see the SQL text and
   <structfield>queryid</structfield> of queries executed by other users.
   Other users can see the statistics, however, if the view has been installed
--- a/doc/src/sgml/pgvisibility.sgml
+++ b/doc/src/sgml/pgvisibility.sgml
@@ -140,8 +140,8 @@
  </variablelist>

  <para>
-   By default, these functions are executable only by superusers and members of the
-   <literal>pg_stat_scan_tables</literal> role, with the exception of
+   By default, these functions are executable only by superusers and roles with privileges
+   of the <literal>pg_stat_scan_tables</literal> role, with the exception of
   <function>pg_truncate_visibility_map(relation regclass)</function> which can only
   be executed by superusers.
  </para>