database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-31 22:04:40 +03:00
Code Activity

Remove explicit superuser checks in favor of ACLs

Browse Source 
This removes the explicit superuser checks in the various file-access
functions in the backend, specifically pg_ls_dir(), pg_read_file(),
pg_read_binary_file(), and pg_stat_file().  Instead, EXECUTE is REVOKE'd
from public for these, meaning that only a superuser is able to run them
by default, but access to them can be GRANT'd to other roles.

Reviewed-By: Michael Paquier
Discussion: https://postgr.es/m/20171231191939.GR2416%40tamriel.snowman.net
This commit is contained in:
Stephen Frost
2018-04-06 14:47:10 -04:00
parent 94c1f9ba11
commit e79350fef2
2 changed files with 14 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/backend/catalog/system_views.sql
View File

@ -1156,6 +1156,20 @@ REVOKE EXECUTE ON FUNCTION lo_export(oid, text) FROM public;
REVOKE EXECUTE ON FUNCTION pg_ls_logdir() FROM public; REVOKE EXECUTE ON FUNCTION pg_ls_logdir() FROM public;
REVOKE EXECUTE ON FUNCTION pg_ls_waldir() FROM public; REVOKE EXECUTE ON FUNCTION pg_ls_waldir() FROM public;
REVOKE EXECUTE ON FUNCTION pg_read_file(text) FROM public;
REVOKE EXECUTE ON FUNCTION pg_read_file(text,bigint,bigint) FROM public;
REVOKE EXECUTE ON FUNCTION pg_read_file(text,bigint,bigint,boolean) FROM public;
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text) FROM public;
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint) FROM public;
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint,boolean) FROM public;
REVOKE EXECUTE ON FUNCTION pg_stat_file(text) FROM public;
REVOKE EXECUTE ON FUNCTION pg_stat_file(text,boolean) FROM public;
REVOKE EXECUTE ON FUNCTION pg_ls_dir(text) FROM public;
REVOKE EXECUTE ON FUNCTION pg_ls_dir(text,boolean,boolean) FROM public;
-- --
-- We also set up some things as accessible to standard roles. -- We also set up some things as accessible to standard roles.
-- --

20
src/backend/utils/adt/genfile.c
View File

@ -195,11 +195,6 @@ pg_read_file(PG_FUNCTION_ARGS)
char *filename; char *filename;
text *result; text *result;
if (!superuser())
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
(errmsg("must be superuser to read files"))));
/* handle optional arguments */ /* handle optional arguments */
if (PG_NARGS() >= 3) if (PG_NARGS() >= 3)
{ {
@ -236,11 +231,6 @@ pg_read_binary_file(PG_FUNCTION_ARGS)
char *filename; char *filename;
bytea *result; bytea *result;
if (!superuser())
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
(errmsg("must be superuser to read files"))));
/* handle optional arguments */ /* handle optional arguments */
if (PG_NARGS() >= 3) if (PG_NARGS() >= 3)
{ {
@ -313,11 +303,6 @@ pg_stat_file(PG_FUNCTION_ARGS)
TupleDesc tupdesc; TupleDesc tupdesc;
bool missing_ok = false; bool missing_ok = false;
if (!superuser())
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
(errmsg("must be superuser to get file information"))));
/* check the optional argument */ /* check the optional argument */
if (PG_NARGS() == 2) if (PG_NARGS() == 2)
missing_ok = PG_GETARG_BOOL(1); missing_ok = PG_GETARG_BOOL(1);
@ -399,11 +384,6 @@ pg_ls_dir(PG_FUNCTION_ARGS)
directory_fctx *fctx; directory_fctx *fctx;
MemoryContext oldcontext; MemoryContext oldcontext;
if (!superuser())
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
(errmsg("must be superuser to get directory listings"))));
if (SRF_IS_FIRSTCALL()) if (SRF_IS_FIRSTCALL())
{ {
bool missing_ok = false; bool missing_ok = false;