mirror of
https://github.com/postgres/postgres.git
synced 2025-07-26 01:22:12 +03:00
Revert MAINTAIN privilege and pg_maintain predefined role.
This reverts the following commits:4dbdb82513,c2122aae63,5b1a879943,9e1e9d6560,ff9618e82a,60684dd834,4441fc704d, andb5d6382496. A role with the MAINTAIN privilege may be able to use search_path tricks to escalate privileges to the table owner. Unfortunately, it is too late in the v16 development cycle to apply the proposed fix, i.e., restricting search_path when running maintenance commands. Bumps catversion. Reviewed-by: Jeff Davis Discussion: https://postgr.es/m/E1q7j7Y-000z1H-Hr%40gemulon.postgresql.org Backpatch-through: 16
This commit is contained in:
Nathan Bossart
@ -1718,8 +1718,8 @@ ALTER TABLE products RENAME TO items;
|
||||
<literal>INSERT</literal>, <literal>UPDATE</literal>, <literal>DELETE</literal>,
|
||||
<literal>TRUNCATE</literal>, <literal>REFERENCES</literal>, <literal>TRIGGER</literal>,
|
||||
<literal>CREATE</literal>, <literal>CONNECT</literal>, <literal>TEMPORARY</literal>,
|
||||
<literal>EXECUTE</literal>, <literal>USAGE</literal>, <literal>SET</literal>,
|
||||
<literal>ALTER SYSTEM</literal>, and <literal>MAINTAIN</literal>.
|
||||
<literal>EXECUTE</literal>, <literal>USAGE</literal>, <literal>SET</literal>
|
||||
and <literal>ALTER SYSTEM</literal>.
|
||||
The privileges applicable to a particular
|
||||
object vary depending on the object's type (table, function, etc.).
|
||||
More detail about the meanings of these privileges appears below.
|
||||
@ -2010,19 +2010,7 @@ REVOKE ALL ON accounts FROM PUBLIC;
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry id="ddl-priv-maintain">
|
||||
<term><literal>MAINTAIN</literal></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Allows <command>VACUUM</command>, <command>ANALYZE</command>,
|
||||
<command>CLUSTER</command>, <command>REFRESH MATERIALIZED VIEW</command>,
|
||||
<command>REINDEX</command>, and <command>LOCK TABLE</command> on a
|
||||
relation.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</variablelist>
|
||||
|
||||
The privileges required by other commands are listed on the
|
||||
reference page of the respective command.
|
||||
@ -2171,11 +2159,6 @@ REVOKE ALL ON accounts FROM PUBLIC;
|
||||
<entry><literal>A</literal></entry>
|
||||
<entry><literal>PARAMETER</literal></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><literal>MAINTAIN</literal></entry>
|
||||
<entry><literal>m</literal></entry>
|
||||
<entry><literal>TABLE</literal></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
@ -2266,7 +2249,7 @@ REVOKE ALL ON accounts FROM PUBLIC;
|
||||
</row>
|
||||
<row>
|
||||
<entry><literal>TABLE</literal> (and table-like objects)</entry>
|
||||
<entry><literal>arwdDxtm</literal></entry>
|
||||
<entry><literal>arwdDxt</literal></entry>
|
||||
<entry>none</entry>
|
||||
<entry><literal>\dp</literal></entry>
|
||||
</row>
|
||||
@ -2325,11 +2308,11 @@ GRANT SELECT (col1), UPDATE (col1) ON mytable TO miriam_rw;
|
||||
<programlisting>
|
||||
=> \dp mytable
|
||||
Access privileges
|
||||
Schema | Name | Type | Access privileges | Column privileges | Policies
|
||||
--------+---------+-------+------------------------+-----------------------+----------
|
||||
public | mytable | table | miriam=arwdDxtm/miriam+| col1: +|
|
||||
| | | =r/miriam +| miriam_rw=rw/miriam |
|
||||
| | | admin=arw/miriam | |
|
||||
Schema | Name | Type | Access privileges | Column privileges | Policies
|
||||
--------+---------+-------+-----------------------+-----------------------+----------
|
||||
public | mytable | table | miriam=arwdDxt/miriam+| col1: +|
|
||||
| | | =r/miriam +| miriam_rw=rw/miriam |
|
||||
| | | admin=arw/miriam | |
|
||||
(1 row)
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
@ -23545,7 +23545,7 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');
|
||||
are <literal>SELECT</literal>, <literal>INSERT</literal>,
|
||||
<literal>UPDATE</literal>, <literal>DELETE</literal>,
|
||||
<literal>TRUNCATE</literal>, <literal>REFERENCES</literal>,
|
||||
<literal>TRIGGER</literal>, and <literal>MAINTAIN</literal>.
|
||||
and <literal>TRIGGER</literal>.
|
||||
</para></entry>
|
||||
</row>
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ ALTER DEFAULT PRIVILEGES
|
||||
|
||||
<phrase>where <replaceable class="parameter">abbreviated_grant_or_revoke</replaceable> is one of:</phrase>
|
||||
|
||||
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
|
||||
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
|
||||
[, ...] | ALL [ PRIVILEGES ] }
|
||||
ON TABLES
|
||||
TO { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
|
||||
@ -51,7 +51,7 @@ GRANT { USAGE | CREATE | ALL [ PRIVILEGES ] }
|
||||
TO { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
|
||||
|
||||
REVOKE [ GRANT OPTION FOR ]
|
||||
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
|
||||
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
|
||||
[, ...] | ALL [ PRIVILEGES ] }
|
||||
ON TABLES
|
||||
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
|
||||
|
||||
@ -182,9 +182,11 @@ ANALYZE [ VERBOSE ] [ <replaceable class="parameter">table_and_columns</replacea
|
||||
<title>Notes</title>
|
||||
|
||||
<para>
|
||||
To analyze a table, one must ordinarily have the <literal>MAINTAIN</literal>
|
||||
privilege on the table. However, database owners are allowed to
|
||||
To analyze a table, one must ordinarily be the table's owner or a
|
||||
superuser. However, database owners are allowed to
|
||||
analyze all tables in their databases, except shared catalogs.
|
||||
(The restriction for shared catalogs means that a true database-wide
|
||||
<command>ANALYZE</command> can only be performed by a superuser.)
|
||||
<command>ANALYZE</command> will skip over any tables that the calling user
|
||||
does not have permission to analyze.
|
||||
</para>
|
||||
|
||||
@ -70,8 +70,9 @@ CLUSTER [VERBOSE]
|
||||
<command>CLUSTER</command> without a
|
||||
<replaceable class="parameter">table_name</replaceable> reclusters all the
|
||||
previously-clustered tables in the current database that the calling user
|
||||
has privileges for. This form of <command>CLUSTER</command> cannot be
|
||||
executed inside a transaction block.
|
||||
owns, or all such tables if called by a superuser. This
|
||||
form of <command>CLUSTER</command> cannot be executed inside a transaction
|
||||
block.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -132,11 +133,6 @@ CLUSTER [VERBOSE]
|
||||
<refsect1>
|
||||
<title>Notes</title>
|
||||
|
||||
<para>
|
||||
To cluster a table, one must have the <literal>MAINTAIN</literal> privilege
|
||||
on the table.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In cases where you are accessing single rows randomly
|
||||
within a table, the actual order of the data in the
|
||||
|
||||
@ -21,7 +21,7 @@ PostgreSQL documentation
|
||||
|
||||
<refsynopsisdiv>
|
||||
<synopsis>
|
||||
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
|
||||
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
|
||||
[, ...] | ALL [ PRIVILEGES ] }
|
||||
ON { [ TABLE ] <replaceable class="parameter">table_name</replaceable> [, ...]
|
||||
| ALL TABLES IN SCHEMA <replaceable class="parameter">schema_name</replaceable> [, ...] }
|
||||
@ -193,7 +193,6 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
|
||||
<term><literal>USAGE</literal></term>
|
||||
<term><literal>SET</literal></term>
|
||||
<term><literal>ALTER SYSTEM</literal></term>
|
||||
<term><literal>MAINTAIN</literal></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specific types of privileges, as defined in <xref linkend="ddl-priv"/>.
|
||||
|
||||
@ -166,8 +166,8 @@ LOCK [ TABLE ] [ ONLY ] <replaceable class="parameter">name</replaceable> [ * ]
|
||||
|
||||
<para>
|
||||
To lock a table, the user must have the right privilege for the specified
|
||||
<replaceable class="parameter">lockmode</replaceable>.
|
||||
If the user has <literal>MAINTAIN</literal>,
|
||||
<replaceable class="parameter">lockmode</replaceable>, or be the table's
|
||||
owner or a superuser. If the user has
|
||||
<literal>UPDATE</literal>, <literal>DELETE</literal>, or
|
||||
<literal>TRUNCATE</literal> privileges on the table, any <replaceable
|
||||
class="parameter">lockmode</replaceable> is permitted. If the user has
|
||||
|
||||
@ -31,9 +31,8 @@ REFRESH MATERIALIZED VIEW [ CONCURRENTLY ] <replaceable class="parameter">name</
|
||||
|
||||
<para>
|
||||
<command>REFRESH MATERIALIZED VIEW</command> completely replaces the
|
||||
contents of a materialized view. To execute this command you must have the
|
||||
<literal>MAINTAIN</literal>
|
||||
privilege on the materialized view. The old contents are discarded. If
|
||||
contents of a materialized view. To execute this command you must be the
|
||||
owner of the materialized view. The old contents are discarded. If
|
||||
<literal>WITH DATA</literal> is specified (or defaults) the backing query
|
||||
is executed to provide the new data, and the materialized view is left in a
|
||||
scannable state. If <literal>WITH NO DATA</literal> is specified no new
|
||||
|
||||
@ -292,21 +292,16 @@ REINDEX [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] { DA
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Reindexing a single index or table requires
|
||||
having the <literal>MAINTAIN</literal> privilege on the
|
||||
table. Note that while <command>REINDEX</command> on a partitioned index or
|
||||
table requires having the <literal>MAINTAIN</literal> privilege on the
|
||||
partitioned table, such commands skip the privilege checks when processing
|
||||
the individual partitions. Reindexing a schema or database requires being the
|
||||
owner of that schema or database or having privileges of the
|
||||
<link linkend="predefined-roles-table"><literal>pg_maintain</literal></link>
|
||||
role. Note specifically that it's thus
|
||||
Reindexing a single index or table requires being the owner of that
|
||||
index or table. Reindexing a schema or database requires being the
|
||||
owner of that schema or database. Note specifically that it's thus
|
||||
possible for non-superusers to rebuild indexes of tables owned by
|
||||
other users. However, as a special exception,
|
||||
<command>REINDEX DATABASE</command>, <command>REINDEX SCHEMA</command>,
|
||||
and <command>REINDEX SYSTEM</command> will skip indexes on shared catalogs
|
||||
unless the user has the <literal>MAINTAIN</literal> privilege on the
|
||||
catalog.
|
||||
other users. However, as a special exception, when
|
||||
<command>REINDEX DATABASE</command>, <command>REINDEX SCHEMA</command>
|
||||
or <command>REINDEX SYSTEM</command> is issued by a non-superuser,
|
||||
indexes on shared catalogs will be skipped unless the user owns the
|
||||
catalog (which typically won't be the case). Of course, superusers
|
||||
can always reindex anything.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
||||
@ -22,7 +22,7 @@ PostgreSQL documentation
|
||||
<refsynopsisdiv>
|
||||
<synopsis>
|
||||
REVOKE [ GRANT OPTION FOR ]
|
||||
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
|
||||
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
|
||||
[, ...] | ALL [ PRIVILEGES ] }
|
||||
ON { [ TABLE ] <replaceable class="parameter">table_name</replaceable> [, ...]
|
||||
| ALL TABLES IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }
|
||||
|
||||
@ -444,9 +444,11 @@ VACUUM [ FULL ] [ FREEZE ] [ VERBOSE ] [ ANALYZE ] [ <replaceable class="paramet
|
||||
<title>Notes</title>
|
||||
|
||||
<para>
|
||||
To vacuum a table, one must ordinarily have the <literal>MAINTAIN</literal>
|
||||
privilege on the table. However, database owners are allowed to
|
||||
To vacuum a table, one must ordinarily be the table's owner or a
|
||||
superuser. However, database owners are allowed to
|
||||
vacuum all tables in their databases, except shared catalogs.
|
||||
(The restriction for shared catalogs means that a true database-wide
|
||||
<command>VACUUM</command> can only be performed by a superuser.)
|
||||
<command>VACUUM</command> will skip over any tables that the calling user
|
||||
does not have permission to vacuum.
|
||||
</para>
|
||||
|
||||
@ -683,18 +683,6 @@ DROP ROLE doomed_role;
|
||||
the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link>
|
||||
command.</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>pg_maintain</entry>
|
||||
<entry>Allow executing
|
||||
<link linkend="sql-vacuum"><command>VACUUM</command></link>,
|
||||
<link linkend="sql-analyze"><command>ANALYZE</command></link>,
|
||||
<link linkend="sql-cluster"><command>CLUSTER</command></link>,
|
||||
<link linkend="sql-refreshmaterializedview"><command>REFRESH MATERIALIZED VIEW</command></link>,
|
||||
<link linkend="sql-reindex"><command>REINDEX</command></link>,
|
||||
and <link linkend="sql-lock"><command>LOCK TABLE</command></link> on all
|
||||
relations, as if having <literal>MAINTAIN</literal> rights on those
|
||||
objects, even without having it explicitly.</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>pg_use_reserved_connections</entry>
|
||||
<entry>Allow use of connection slots reserved via
|
||||
|
||||
Reference in New Issue
Block a user