database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-04-22 23:02:54 +03:00
Code

Add new USERLIMIT GUC source level so certain options can be disabled

Browse Source 
or increased only by super-users.

This fixes problems caused by making certain variables SUSET for
security reasons.
This commit is contained in:
Bruce Momjian 2003-07-09 06:47:34 +00:00
parent 6896bfa86c
commit bf889e649a
4 changed files with 169 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/src/sgml/runtime.sgml
View File

@ -1,5 +1,5 @@
<!-- <!--
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.190 2003/07/04 16:41:21 tgl Exp $ $Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.191 2003/07/09 06:47:34 momjian Exp $
--> -->
<Chapter Id="runtime"> <Chapter Id="runtime">
@ -1541,6 +1541,7 @@ SET ENABLE_SEQSCAN TO OFF;
to the log. The default is <literal>NOTICE</>. Note that to the log. The default is <literal>NOTICE</>. Note that
<literal>LOG</> has a different rank here than in <literal>LOG</> has a different rank here than in
<literal>CLIENT_MIN_MESSAGES</>. <literal>CLIENT_MIN_MESSAGES</>.
Only superusers can increase this option.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1576,6 +1577,7 @@ SET ENABLE_SEQSCAN TO OFF;
SQL statements causing errors, fatal errors, or panics will be SQL statements causing errors, fatal errors, or panics will be
logged. Enabling this option can be helpful in tracking down logged. Enabling this option can be helpful in tracking down
the source of any errors that appear in the server log. the source of any errors that appear in the server log.
Only superusers can increase this option.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1593,6 +1595,8 @@ SET ENABLE_SEQSCAN TO OFF;
than 250ms will be logged. Enabling this than 250ms will be logged. Enabling this
option can be useful in tracking down unoptimized queries in option can be useful in tracking down unoptimized queries in
your applications. your applications.
Only superusers can increase this option if it is set to
non-zero by the administrator.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1743,6 +1747,8 @@ SET ENABLE_SEQSCAN TO OFF;
To use this option, enable <varname>LOG_STATEMENT</> and To use this option, enable <varname>LOG_STATEMENT</> and
<varname>LOG_PID</> so you can link the statement to the <varname>LOG_PID</> so you can link the statement to the
duration using the process ID. duration using the process ID.
Only superusers can turn off this option if it is enabled by
the administrator.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1765,6 +1771,8 @@ SET ENABLE_SEQSCAN TO OFF;
<listitem> <listitem>
<para> <para>
Causes each SQL statement to be logged. Causes each SQL statement to be logged.
Only superusers can turn off this option if it is enabled by
the administrator.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1826,6 +1834,8 @@ SET ENABLE_SEQSCAN TO OFF;
For each query, write performance statistics of the respective For each query, write performance statistics of the respective
module to the server log. This is a crude profiling module to the server log. This is a crude profiling
instrument. instrument.
Only superusers can turn off this option if it is enabled by
the administrator.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

34
src/backend/tcop/postgres.c
View File

@ -8,7 +8,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/tcop/postgres.c,v 1.349 2003/07/04 16:41:21 tgl Exp $ * $Header: /cvsroot/pgsql/src/backend/tcop/postgres.c,v 1.350 2003/07/09 06:47:34 momjian Exp $
* *
* NOTES * NOTES
* this is the "main" module of the postgres backend and * this is the "main" module of the postgres backend and
@ -1943,7 +1943,7 @@ PostgresMain(int argc, char *argv[], const char *username)
bool secure; bool secure;
int errs = 0; int errs = 0;
int debug_flag = 0; int debug_flag = 0;
GucContext ctx; GucContext ctx, debug_context;
GucSource gucsource; GucSource gucsource;
char *tmp; char *tmp;
int firstchar; int firstchar;
@ -2018,7 +2018,7 @@ PostgresMain(int argc, char *argv[], const char *username)
/* all options are allowed until '-p' */ /* all options are allowed until '-p' */
secure = true; secure = true;
ctx = PGC_POSTMASTER; ctx = debug_context = PGC_POSTMASTER;
gucsource = PGC_S_ARGV; /* initial switches came from command line */ gucsource = PGC_S_ARGV; /* initial switches came from command line */
while ((flag = getopt(argc, argv, "A:B:c:CD:d:Eef:FiNOPo:p:S:st:v:W:x:-:")) != -1) while ((flag = getopt(argc, argv, "A:B:c:CD:d:Eef:FiNOPo:p:S:st:v:W:x:-:")) != -1)
@ -2054,10 +2054,18 @@ PostgresMain(int argc, char *argv[], const char *username)
break; break;
case 'd': /* debug level */ case 'd': /* debug level */
{
/*
* Client option can't decrease debug level.
* We have to do the test here because we group priv and client
* set GUC calls below, after we know the final debug value.
*/
if (ctx != PGC_BACKEND || atoi(optarg) > debug_flag)
{ {
debug_flag = atoi(optarg); debug_flag = atoi(optarg);
debug_context = ctx; /* save context for use below */
/* Set server debugging level. */ /* Set server debugging level. */
if (atoi(optarg) != 0) if (debug_flag != 0)
{ {
char *debugstr = palloc(strlen("debug") + strlen(optarg) + 1); char *debugstr = palloc(strlen("debug") + strlen(optarg) + 1);
@ -2075,6 +2083,7 @@ PostgresMain(int argc, char *argv[], const char *username)
SetConfigOption("log_min_messages", "notice", SetConfigOption("log_min_messages", "notice",
ctx, gucsource); ctx, gucsource);
} }
}
break; break;
case 'E': case 'E':
@ -2323,20 +2332,19 @@ PostgresMain(int argc, char *argv[], const char *username)
/* /*
* -d is not the same as setting * -d is not the same as setting log_min_messages because it enables
* log_min_messages because it enables other * other output options.
* output options.
*/ */
if (debug_flag >= 1) if (debug_flag >= 1)
SetConfigOption("log_connections", "true", ctx, gucsource); SetConfigOption("log_connections", "true", debug_context, gucsource);
if (debug_flag >= 2) if (debug_flag >= 2)
SetConfigOption("log_statement", "true", ctx, gucsource); SetConfigOption("log_statement", "true", debug_context, gucsource);
if (debug_flag >= 3) if (debug_flag >= 3)
SetConfigOption("debug_print_parse", "true", ctx, gucsource); SetConfigOption("debug_print_parse", "true", debug_context, gucsource);
if (debug_flag >= 4) if (debug_flag >= 4)
SetConfigOption("debug_print_plan", "true", ctx, gucsource); SetConfigOption("debug_print_plan", "true", debug_context, gucsource);
if (debug_flag >= 5) if (debug_flag >= 5)
SetConfigOption("debug_print_rewritten", "true", ctx, gucsource); SetConfigOption("debug_print_rewritten", "true", debug_context, gucsource);
/* /*
* Process any additional GUC variable settings passed in startup packet. * Process any additional GUC variable settings passed in startup packet.
@ -2548,7 +2556,7 @@ PostgresMain(int argc, char *argv[], const char *username)
if (!IsUnderPostmaster) if (!IsUnderPostmaster)
{ {
puts("\nPOSTGRES backend interactive interface "); puts("\nPOSTGRES backend interactive interface ");
puts("$Revision: 1.349 $ $Date: 2003/07/04 16:41:21 $\n"); puts("$Revision: 1.350 $ $Date: 2003/07/09 06:47:34 $\n");
} }
/* /*

117
src/backend/utils/misc/guc.c
View File

@ -10,7 +10,7 @@
* Written by Peter Eisentraut <peter_e@gmx.net>. * Written by Peter Eisentraut <peter_e@gmx.net>.
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.134 2003/07/04 16:41:21 tgl Exp $ * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.135 2003/07/09 06:47:34 momjian Exp $
* *
*-------------------------------------------------------------------- *--------------------------------------------------------------------
*/ */
@ -449,7 +449,7 @@ static struct config_bool ConfigureNamesBool[] =
false, NULL, NULL false, NULL, NULL
}, },
{ {
{"log_statement", PGC_SUSET, LOGGING_WHAT, {"log_statement", PGC_USERLIMIT, LOGGING_WHAT,
gettext_noop("Causes each SQL statement to be logged"), gettext_noop("Causes each SQL statement to be logged"),
NULL NULL
}, },
@ -457,7 +457,7 @@ static struct config_bool ConfigureNamesBool[] =
false, NULL, NULL false, NULL, NULL
}, },
{ {
{"log_duration", PGC_SUSET, LOGGING_WHAT, {"log_duration", PGC_USERLIMIT, LOGGING_WHAT,
gettext_noop("Duration of every completed statement is logged"), gettext_noop("Duration of every completed statement is logged"),
NULL NULL
}, },
@ -497,7 +497,7 @@ static struct config_bool ConfigureNamesBool[] =
false, NULL, NULL false, NULL, NULL
}, },
{ {
{"log_parser_stats", PGC_SUSET, STATS_MONITORING, {"log_parser_stats", PGC_USERLIMIT, STATS_MONITORING,
gettext_noop("Write parser performance stats to server log"), gettext_noop("Write parser performance stats to server log"),
NULL NULL
}, },
@ -505,7 +505,7 @@ static struct config_bool ConfigureNamesBool[] =
false, NULL, NULL false, NULL, NULL
}, },
{ {
{"log_planner_stats", PGC_SUSET, STATS_MONITORING, {"log_planner_stats", PGC_USERLIMIT, STATS_MONITORING,
gettext_noop("Write planner performance stats to server log"), gettext_noop("Write planner performance stats to server log"),
NULL NULL
}, },
@ -513,7 +513,7 @@ static struct config_bool ConfigureNamesBool[] =
false, NULL, NULL false, NULL, NULL
}, },
{ {
{"log_executor_stats", PGC_SUSET, STATS_MONITORING, {"log_executor_stats", PGC_USERLIMIT, STATS_MONITORING,
gettext_noop("Write executor performance stats to server log"), gettext_noop("Write executor performance stats to server log"),
NULL NULL
}, },
@ -521,7 +521,7 @@ static struct config_bool ConfigureNamesBool[] =
false, NULL, NULL false, NULL, NULL
}, },
{ {
{"log_statement_stats", PGC_SUSET, STATS_MONITORING, {"log_statement_stats", PGC_USERLIMIT, STATS_MONITORING,
gettext_noop("Write statement performance stats to server log"), gettext_noop("Write statement performance stats to server log"),
NULL NULL
}, },
@ -1107,7 +1107,7 @@ static struct config_int ConfigureNamesInt[] =
}, },
{ {
{"log_min_duration_statement", PGC_SUSET, LOGGING_WHEN, {"log_min_duration_statement", PGC_USERLIMIT, LOGGING_WHEN,
gettext_noop("Min execution time (msec) above which statements will " gettext_noop("Min execution time (msec) above which statements will "
"be logged"), "be logged"),
gettext_noop("The default is 0 (turning this feature off).") gettext_noop("The default is 0 (turning this feature off).")
@ -1228,7 +1228,7 @@ static struct config_string ConfigureNamesString[] =
}, },
{ {
{"log_min_messages", PGC_SUSET, LOGGING_WHEN, {"log_min_messages", PGC_USERLIMIT, LOGGING_WHEN,
gettext_noop("Controls which message levels logged"), gettext_noop("Controls which message levels logged"),
gettext_noop("Valid values are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, " gettext_noop("Valid values are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, "
"INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each level " "INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each level "
@ -1248,7 +1248,7 @@ static struct config_string ConfigureNamesString[] =
}, },
{ {
{"log_min_error_statement", PGC_SUSET, LOGGING_WHEN, {"log_min_error_statement", PGC_USERLIMIT, LOGGING_WHEN,
gettext_noop("Controls whether the erroneous statement is logged"), gettext_noop("Controls whether the erroneous statement is logged"),
gettext_noop("All SQL statements that cause an error of the " gettext_noop("All SQL statements that cause an error of the "
"specified level, or a higher level, are logged") "specified level, or a higher level, are logged")
@ -1714,6 +1714,9 @@ InitializeGUCOptions(void)
Assert(conf->reset_val >= conf->min); Assert(conf->reset_val >= conf->min);
Assert(conf->reset_val <= conf->max); Assert(conf->reset_val <= conf->max);
/* Check to make sure we only have valid PGC_USERLIMITs */
Assert(conf->gen.context != PGC_USERLIMIT ||
strcmp(conf->gen.name, "log_min_duration_statement") == 0);
if (conf->assign_hook) if (conf->assign_hook)
if (!(*conf->assign_hook) (conf->reset_val, true, false)) if (!(*conf->assign_hook) (conf->reset_val, true, false))
fprintf(stderr, "Failed to initialize %s to %d\n", fprintf(stderr, "Failed to initialize %s to %d\n",
@ -1728,6 +1731,7 @@ InitializeGUCOptions(void)
Assert(conf->reset_val >= conf->min); Assert(conf->reset_val >= conf->min);
Assert(conf->reset_val <= conf->max); Assert(conf->reset_val <= conf->max);
Assert(conf->gen.context != PGC_USERLIMIT);
if (conf->assign_hook) if (conf->assign_hook)
if (!(*conf->assign_hook) (conf->reset_val, true, false)) if (!(*conf->assign_hook) (conf->reset_val, true, false))
fprintf(stderr, "Failed to initialize %s to %g\n", fprintf(stderr, "Failed to initialize %s to %g\n",
@ -1741,6 +1745,11 @@ InitializeGUCOptions(void)
struct config_string *conf = (struct config_string *) gconf; struct config_string *conf = (struct config_string *) gconf;
char *str; char *str;
/* Check to make sure we only have valid PGC_USERLIMITs */
Assert(conf->gen.context != PGC_USERLIMIT ||
conf->assign_hook == assign_log_min_messages ||
conf->assign_hook == assign_client_min_messages ||
conf->assign_hook == assign_min_error_statement);
*conf->variable = NULL; *conf->variable = NULL;
conf->reset_val = NULL; conf->reset_val = NULL;
conf->session_val = NULL; conf->session_val = NULL;
@ -1837,7 +1846,9 @@ ResetAllOptions(void)
struct config_generic *gconf = guc_variables[i]; struct config_generic *gconf = guc_variables[i];
/* Don't reset non-SET-able values */ /* Don't reset non-SET-able values */
if (gconf->context != PGC_SUSET && gconf->context != PGC_USERSET) if (gconf->context != PGC_SUSET &&
gconf->context != PGC_USERLIMIT &&
gconf->context != PGC_USERSET)
continue; continue;
/* Don't reset if special exclusion from RESET ALL */ /* Don't reset if special exclusion from RESET ALL */
if (gconf->flags & GUC_NO_RESET_ALL) if (gconf->flags & GUC_NO_RESET_ALL)
@ -2286,6 +2297,7 @@ set_config_option(const char *name, const char *value,
int elevel; int elevel;
bool interactive; bool interactive;
bool makeDefault; bool makeDefault;
bool DoIt_orig;
if (context == PGC_SIGHUP || source == PGC_S_DEFAULT) if (context == PGC_SIGHUP || source == PGC_S_DEFAULT)
elevel = DEBUG2; elevel = DEBUG2;
@ -2371,6 +2383,7 @@ set_config_option(const char *name, const char *value,
return false; return false;
} }
break; break;
case PGC_USERLIMIT: /* USERLIMIT permissions checked below */
case PGC_USERSET: case PGC_USERSET:
/* always okay */ /* always okay */
break; break;
@ -2393,6 +2406,7 @@ set_config_option(const char *name, const char *value,
* to set the reset/session values even if we can't set the variable * to set the reset/session values even if we can't set the variable
* itself. * itself.
*/ */
DoIt_orig = DoIt; /* we might have to reverse this later */
if (record->source > source) if (record->source > source)
{ {
if (DoIt && !makeDefault) if (DoIt && !makeDefault)
@ -2422,6 +2436,24 @@ set_config_option(const char *name, const char *value,
name); name);
return false; return false;
} }
/* Limit non-super user changes */
if (record->context == PGC_USERLIMIT &&
source > PGC_S_USERSTART &&
newval < conf->session_val &&
!superuser())
{
elog(elevel, "'%s': permission denied\n"
"Only super-users can set this value to false.",
name);
return false;
}
/* Allow admin to override non-super user setting */
if (record->context == PGC_USERLIMIT &&
source < PGC_S_USERSTART &&
record->session_source > PGC_S_USERSTART &&
newval > conf->session_val &&
!superuser())
DoIt = DoIt_orig;
} }
else else
{ {
@ -2493,6 +2525,25 @@ set_config_option(const char *name, const char *value,
name, newval, conf->min, conf->max); name, newval, conf->min, conf->max);
return false; return false;
} }
/* Limit non-super user changes */
if (record->context == PGC_USERLIMIT &&
source > PGC_S_USERSTART &&
conf->session_val != 0 &&
newval > conf->session_val &&
!superuser())
{
elog(elevel, "'%s': permission denied\n"
"Only super-users can increase this value.",
name);
return false;
}
/* Allow admin to override non-super user setting */
if (record->context == PGC_USERLIMIT &&
source < PGC_S_USERSTART &&
record->session_source > PGC_S_USERSTART &&
newval < conf->session_val &&
!superuser())
DoIt = DoIt_orig;
} }
else else
{ {
@ -2564,6 +2615,24 @@ set_config_option(const char *name, const char *value,
name, newval, conf->min, conf->max); name, newval, conf->min, conf->max);
return false; return false;
} }
/* Limit non-super user changes */
if (record->context == PGC_USERLIMIT &&
source > PGC_S_USERSTART &&
newval > conf->session_val &&
!superuser())
{
elog(elevel, "'%s': permission denied\n"
"Only super-users can increase this value.",
name);
return false;
}
/* Allow admin to override non-super user setting */
if (record->context == PGC_USERLIMIT &&
source < PGC_S_USERSTART &&
record->session_source > PGC_S_USERSTART &&
newval < conf->session_val &&
!superuser())
DoIt = DoIt_orig;
} }
else else
{ {
@ -2628,6 +2697,32 @@ set_config_option(const char *name, const char *value,
elog(elevel, "out of memory"); elog(elevel, "out of memory");
return false; return false;
} }
if (*conf->variable)
{
int old_int_value, new_int_value;
/* Limit non-super user changes */
assign_msglvl(&old_int_value, conf->reset_val, true, interactive);
assign_msglvl(&new_int_value, newval, true, interactive);
if (record->context == PGC_USERLIMIT &&
source > PGC_S_USERSTART &&
new_int_value > old_int_value &&
!superuser())
{
elog(elevel, "'%s': permission denied\n"
"Only super-users can increase this value.",
name);
return false;
}
/* Allow admin to override non-super user setting */
if (record->context == PGC_USERLIMIT &&
source < PGC_S_USERSTART &&
record->session_source > PGC_S_USERSTART &&
newval < conf->session_val &&
!superuser())
DoIt = DoIt_orig;
}
} }
else if (conf->reset_val) else if (conf->reset_val)
{ {

21
src/include/utils/guc.h
View File

@ -7,7 +7,7 @@
* Copyright 2000-2003 by PostgreSQL Global Development Group * Copyright 2000-2003 by PostgreSQL Global Development Group
* Written by Peter Eisentraut <peter_e@gmx.net>. * Written by Peter Eisentraut <peter_e@gmx.net>.
* *
* $Id: guc.h,v 1.32 2003/06/11 18:01:14 momjian Exp $ * $Id: guc.h,v 1.33 2003/07/09 06:47:34 momjian Exp $
*-------------------------------------------------------------------- *--------------------------------------------------------------------
*/ */
#ifndef GUC_H #ifndef GUC_H
@ -48,6 +48,9 @@
* be set in the connection startup packet, because when it is processed * be set in the connection startup packet, because when it is processed
* we don't yet know if the user is a superuser. * we don't yet know if the user is a superuser.
* *
* USERLIMIT options can only be manipulated in certain ways by
* non-super users.
*
* USERSET options can be set by anyone any time. * USERSET options can be set by anyone any time.
*/ */
typedef enum typedef enum
@ -57,6 +60,7 @@ typedef enum
PGC_SIGHUP, PGC_SIGHUP,
PGC_BACKEND, PGC_BACKEND,
PGC_SUSET, PGC_SUSET,
PGC_USERLIMIT,
PGC_USERSET PGC_USERSET
} GucContext; } GucContext;
@ -76,11 +80,16 @@ typedef enum
PGC_S_ENV_VAR = 1, /* postmaster environment variable */ PGC_S_ENV_VAR = 1, /* postmaster environment variable */
PGC_S_FILE = 2, /* postgresql.conf */ PGC_S_FILE = 2, /* postgresql.conf */
PGC_S_ARGV = 3, /* postmaster command line */ PGC_S_ARGV = 3, /* postmaster command line */
PGC_S_DATABASE = 4, /* per-database setting */ PGC_S_USERSTART=4, /*
PGC_S_USER = 5, /* per-user setting */ * Settings below are controlled by users.
PGC_S_CLIENT = 6, /* from client connection request */ * This is used by PGC_USERLIMT to prevent
PGC_S_OVERRIDE = 7, /* special case to forcibly set default */ * non-super users from changing certain settings.
PGC_S_SESSION = 8 /* SET command */ */
PGC_S_DATABASE = 5, /* per-database setting */
PGC_S_USER = 6, /* per-user setting */
PGC_S_CLIENT = 7, /* from client connection request */
PGC_S_OVERRIDE = 8, /* special case to forcibly set default */
PGC_S_SESSION = 9 /* SET command */
} GucSource; } GucSource;