mirror of
https://github.com/postgres/postgres.git
synced 2025-07-30 11:03:19 +03:00
Enforce superuser permissions checks during ALTER ROLE/DATABASE SET, rather
than during define_custom_variable(). This entails rejecting an ALTER command if the target variable doesn't have a known (non-placeholder) definition, unless the calling user is superuser. When the variable *is* known, we can correctly apply the rule that only superusers can issue ALTER for SUSET parameters. This allows define_custom_variable to apply ALTER's values for SUSET parameters at module load time, secure in the knowledge that only a superuser could have set the ALTER value. This change fixes a longstanding gotcha in the usage of SUSET-level custom parameters; which is a good thing to fix now that plpgsql defines such a parameter.
This commit is contained in:
Tom Lane
@ -1,5 +1,5 @@
|
||||
<!--
|
||||
$PostgreSQL: pgsql/doc/src/sgml/ref/alter_role.sgml,v 1.16 2010/04/03 07:22:57 petere Exp $
|
||||
$PostgreSQL: pgsql/doc/src/sgml/ref/alter_role.sgml,v 1.17 2010/04/21 20:54:19 tgl Exp $
|
||||
PostgreSQL documentation
|
||||
-->
|
||||
|
||||
@ -24,7 +24,7 @@ PostgreSQL documentation
|
||||
ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replaceable class="PARAMETER">option</replaceable> [ ... ] ]
|
||||
|
||||
<phrase>where <replaceable class="PARAMETER">option</replaceable> can be:</phrase>
|
||||
|
||||
|
||||
SUPERUSER | NOSUPERUSER
|
||||
| CREATEDB | NOCREATEDB
|
||||
| CREATEROLE | NOCREATEROLE
|
||||
@ -33,7 +33,7 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replace
|
||||
| LOGIN | NOLOGIN
|
||||
| CONNECTION LIMIT <replaceable class="PARAMETER">connlimit</replaceable>
|
||||
| [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
|
||||
| VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
|
||||
| VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
|
||||
|
||||
ALTER ROLE <replaceable class="PARAMETER">name</replaceable> RENAME TO <replaceable>new_name</replaceable>
|
||||
|
||||
@ -54,7 +54,7 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ IN DATABASE <repl
|
||||
|
||||
<para>
|
||||
The first variant of this command listed in the synopsis can change
|
||||
many of the role attributes that can be specified in
|
||||
many of the role attributes that can be specified in
|
||||
<xref linkend="sql-createrole">.
|
||||
(All the possible attributes are covered,
|
||||
except that there are no options for adding or removing memberships; use
|
||||
@ -79,20 +79,24 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ IN DATABASE <repl
|
||||
password is <literal>MD5</>-encrypted.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The remaining variants change a role's session default for a configuration variable
|
||||
for all databases or, when the <literal>IN DATABASE</literal> clause is specified,
|
||||
for the named database. Whenever the role subsequently
|
||||
<para>
|
||||
The remaining variants change a role's session default for a configuration
|
||||
variable, either for all databases or, when the <literal>IN
|
||||
DATABASE</literal> clause is specified, only for sessions in
|
||||
the named database. Whenever the role subsequently
|
||||
starts a new session, the specified value becomes the session
|
||||
default, overriding whatever setting is present in
|
||||
<filename>postgresql.conf</> or has been received from the postgres
|
||||
command line. This only happens at login time, so configuration
|
||||
settings associated with a role to which you've <xref
|
||||
linkend="sql-set-role"> will be ignored. Settings set to
|
||||
a role directly are overridden by any database specific settings attached to a role.
|
||||
command line. This only happens at login time; executing
|
||||
<xref linkend="sql-set-role"> or
|
||||
<xref linkend="sql-set-session-authorization"> does not cause new
|
||||
configuration values to be set.
|
||||
Settings set for all databases are overridden by database-specific settings
|
||||
attached to a role.
|
||||
Superusers can change anyone's session defaults. Roles having
|
||||
<literal>CREATEROLE</> privilege can change defaults for non-superuser
|
||||
roles. Certain variables cannot be set this way, or can only be
|
||||
roles. Ordinary roles can only set defaults for themselves.
|
||||
Certain configuration variables cannot be set this way, or can only be
|
||||
set if a superuser issues the command.
|
||||
</para>
|
||||
</refsect1>
|
||||
@ -169,14 +173,15 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ IN DATABASE <repl
|
||||
<literal>RESET ALL</literal> to clear all role-specific settings.
|
||||
<literal>SET FROM CURRENT</> saves the session's current value of
|
||||
the parameter as the role-specific value.
|
||||
If used in conjunction with <literal>IN DATABASE</literal>, the configuration
|
||||
If <literal>IN DATABASE</literal> is specified, the configuration
|
||||
parameter is set or removed for the given role and database only.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Role-specific variable setting take effect only at login;
|
||||
<xref linkend="sql-set-role">
|
||||
does not process role-specific variable settings.
|
||||
Role-specific variable settings take effect only at login;
|
||||
<xref linkend="sql-set-role"> and
|
||||
<xref linkend="sql-set-session-authorization">
|
||||
do not process role-specific variable settings.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -210,8 +215,8 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ IN DATABASE <repl
|
||||
in cleartext, and it might also be logged in the client's command
|
||||
history or the server log. <xref linkend="app-psql">
|
||||
contains a command
|
||||
<command>\password</command> that can be used to safely change a
|
||||
role's password.
|
||||
<command>\password</command> that can be used to change a
|
||||
role's password without exposing the cleartext password.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -276,8 +281,8 @@ ALTER ROLE worker_bee SET maintenance_work_mem = 100000;
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Give a role a non-default, database-specific setting of the
|
||||
<xref linkend="guc-client-min-messages"> parameter:
|
||||
Give a role a non-default, database-specific setting of the
|
||||
<xref linkend="guc-client-min-messages"> parameter:
|
||||
|
||||
<programlisting>
|
||||
ALTER ROLE fred IN DATABASE devel SET client_min_messages = DEBUG;
|
||||
@ -287,7 +292,7 @@ ALTER ROLE fred IN DATABASE devel SET client_min_messages = DEBUG;
|
||||
|
||||
<refsect1>
|
||||
<title>Compatibility</title>
|
||||
|
||||
|
||||
<para>
|
||||
The <command>ALTER ROLE</command> statement is a
|
||||
<productname>PostgreSQL</productname> extension.
|
||||
|
||||
Reference in New Issue
Block a user