1
0
mirror of https://github.com/postgres/postgres.git synced 2025-08-18 12:22:09 +03:00
Commit Graph

7305 Commits

Author SHA1 Message Date
Tom Lane
519c32fa00 Document permissions needed for pg_database_size and pg_tablespace_size.
Back in 8.3, we installed permissions checks in these functions (see
commits 8bc225e799 and cc26599b72).  But we forgot to document that
anywhere in the user-facing docs; it did get mentioned in the 8.3 release
notes, but nobody's looking at that any more.  Per gripe from Suya Huang.
2014-05-08 21:45:35 -04:00
Tom Lane
98b1dda7f7 Fix documentation about joining pg_locks to other views.
The advice to join to pg_prepared_xacts via the transaction column was not
updated when the transaction column was replaced by virtualtransaction.
Since it's not quite obvious how to do that join, give an explicit example.
For consistency also give an example for the adjacent case of joining to
pg_stat_activity.  And link-ify the view references too, just because we
can.  Per bug #9840 from Alexey Bashtanov.

Michael Paquier and Tom Lane
2014-04-03 14:18:48 -04:00
Tom Lane
1bd1ba8d1f Fix documentation about size of interval type.
It's been 16 bytes, not 12, for ages.  This was fixed in passing in HEAD
(commit 146604ec), but as a factual error it should have been back-patched.
Per gripe from Tatsuhito Kasahara.
2014-04-03 11:06:38 -04:00
Noah Misch
563e82073a Revert "Secure Unix-domain sockets of "make check" temporary clusters."
About half of the buildfarm members use too-long directory names,
strongly suggesting that this approach is a dead end.
2014-03-29 03:14:50 -04:00
Noah Misch
556906de2f Secure Unix-domain sockets of "make check" temporary clusters.
Any OS user able to access the socket can connect as the bootstrap
superuser and in turn execute arbitrary code as the OS user running the
test.  Protect against that by placing the socket in the temporary data
directory, which has mode 0700 thanks to initdb.  Back-patch to 8.4 (all
supported versions).  The hazard remains wherever the temporary cluster
accepts TCP connections, notably on Windows.

Attempts to run "make check" from a directory with a long name will now
fail.  An alternative not sharing that problem was to place the socket
in a subdirectory of /tmp, but that is only secure if /tmp is sticky.
The PG_REGRESS_SOCK_DIR environment variable is available as a
workaround when testing from long directory paths.

As a convenient side effect, this lets testing proceed smoothly in
builds that override DEFAULT_PGSOCKET_DIR.  Popular non-default values
like /var/run/postgresql are often unwritable to the build user.

Security: CVE-2014-0067
2014-03-29 01:30:29 -04:00
Noah Misch
7907098908 Document platform-specificity of unix_socket_permissions.
Back-patch to 8.4 (all supported versions).
2014-03-29 01:19:48 -04:00
Tom Lane
cc80df243e Release notes for 9.3.4, 9.2.8, 9.1.13, 9.0.17, 8.4.21. 2014-03-17 15:28:38 -04:00
Heikki Linnakangas
fb61ff85e1 Fix name of syslog_ident GUC in docs.
Michael Paquier
2014-03-07 10:38:25 +02:00
Tom Lane
56e55cfd26 Last-minute updates for release notes.
Add entries for security issues.

Security: CVE-2014-0060 through CVE-2014-0067
2014-02-17 14:25:54 -05:00
Tom Lane
f58663ab1a Document risks of "make check" in the regression testing instructions.
Since the temporary server started by "make check" uses "trust"
authentication, another user on the same machine could connect to it
as database superuser, and then potentially exploit the privileges of
the operating-system user who started the tests.  We should change
the testing procedures to prevent this risk; but discussion is required
about the best way to do that, as well as more testing than is practical
for an undisclosed security problem.  Besides, the same issue probably
affects some user-written test harnesses.  So for the moment, we'll just
warn people against using "make check" when there are untrusted users on
the same machine.

In passing, remove some ancient advice that suggested making the
regression testing subtree world-writable if you'd built as root.
That looks dangerously insecure in modern contexts, and anyway we
should not be encouraging people to build Postgres as root.

Security: CVE-2014-0067
2014-02-17 11:24:51 -05:00
Noah Misch
09e2d4c145 Document security implications of check_function_bodies.
Back-patch to 8.4 (all supported versions).
2014-02-17 09:33:38 -05:00
Noah Misch
ff35425c8f Shore up ADMIN OPTION restrictions.
Granting a role without ADMIN OPTION is supposed to prevent the grantee
from adding or removing members from the granted role.  Issuing SET ROLE
before the GRANT bypassed that, because the role itself had an implicit
right to add or remove members.  Plug that hole by recognizing that
implicit right only when the session user matches the current role.
Additionally, do not recognize it during a security-restricted operation
or during execution of a SECURITY DEFINER function.  The restriction on
SECURITY DEFINER is not security-critical.  However, it seems best for a
user testing his own SECURITY DEFINER function to see the same behavior
others will see.  Back-patch to 8.4 (all supported versions).

The SQL standards do not conflate roles and users as PostgreSQL does;
only SQL roles have members, and only SQL users initiate sessions.  An
application using PostgreSQL users and roles as SQL users and roles will
never attempt to grant membership in the role that is the session user,
so the implicit right to add or remove members will never arise.

The security impact was mostly that a role member could revoke access
from others, contrary to the wishes of his own grantor.  Unapproved role
member additions are less notable, because the member can still largely
achieve that by creating a view or a SECURITY DEFINER function.

Reviewed by Andres Freund and Tom Lane.  Reported, independently, by
Jonas Sundman and Noah Misch.

Security: CVE-2014-0060
2014-02-17 09:33:38 -05:00
Tom Lane
bde3307cc1 Release notes for 9.3.3, 9.2.7, 9.1.12, 9.0.16, 8.4.20. 2014-02-16 22:08:45 -05:00
Tom Lane
b0154f20b3 Suggest shell here-documents instead of psql -c for multiple commands.
The documentation suggested using "echo | psql", but not the often-superior
alternative of a here-document.  Also, be more direct about suggesting
that people avoid -c for multiple commands.  Per discussion.
2014-02-14 12:54:58 -05:00
Tom Lane
42ec6a8323 Improve cross-references between minor version release notes.
We have a practice of providing a "bread crumb" trail between the minor
versions where the migration section actually tells you to do something.
Historically that was just plain text, eg, "see the release notes for
9.2.4"; but if you're using a browser or PDF reader, it's a lot nicer
if it's a live hyperlink.  So use "<xref>" instead.  Any argument against
doing this vanished with the recent decommissioning of plain-text release
notes.

Vik Fearing
2014-02-12 19:09:32 -05:00
Tom Lane
432735cbf3 Don't generate plain-text HISTORY and src/test/regress/README anymore.
Providing this information as plain text was doubtless worth the trouble
ten years ago, but it seems likely that hardly anyone reads it in this
format anymore.  And the effort required to maintain these files (in the
form of extra-complex markup rules in the relevant parts of the SGML
documentation) is significant.  So, let's stop doing that and rely solely
on the other documentation formats.

Per discussion, the plain-text INSTALL instructions might still be worth
their keep, so we continue to generate that file.

Rather than remove HISTORY and src/test/regress/README from distribution
tarballs entirely, replace them with simple stub files that tell the reader
where to find the relevant documentation.  This is mainly to avoid possibly
breaking packaging recipes that expect these files to exist.

Back-patch to all supported branches, because simplifying the markup
requirements for release notes won't help much unless we do it in all
branches.
2014-02-10 20:48:30 -05:00
Bruce Momjian
75c02a31e0 Update copyright for 2014
Update all files in head, and files COPYRIGHT and legal.sgml in all back
branches.
2014-01-07 16:05:29 -05:00
Tom Lane
85eb066ecd Fix ancient docs/comments thinko: XID comparison is mod 2^32, not 2^31.
Pointed out by Gianni Ciolli.
2013-12-12 12:40:07 -05:00
Tom Lane
67f898bd36 Update release notes for 9.3.2, 9.2.6, 9.1.11, 9.0.15, 8.4.19. 2013-12-02 15:54:11 -05:00
Tom Lane
0d6a006df6 Clarify CREATE FUNCTION documentation about handling of typmods.
The previous text was a bit misleading, as well as unnecessarily vague
about what information would be discarded.  Per gripe from Craig Skinner.
2013-11-13 13:29:45 -05:00
Tom Lane
2268d1c14c Improve the error message given for modifying a window with frame clause.
For rather inscrutable reasons, SQL:2008 disallows copying-and-modifying a
window definition that has any explicit framing clause.  The error message
we gave for this only made sense if the referencing window definition
itself contains an explicit framing clause, which it might well not.
Moreover, in the context of an OVER clause it's not exactly obvious that
"OVER (windowname)" implies copy-and-modify while "OVER windowname" does
not.  This has led to multiple complaints, eg bug #5199 from Iliya
Krapchatov.  Change to a hopefully more intelligible error message, and
in the case where we have just "OVER (windowname)", add a HINT suggesting
that omitting the parentheses will fix it.  Also improve the related
documentation.  Back-patch to all supported branches.
2013-11-05 21:58:26 -05:00
Peter Eisentraut
de63db920f doc: Remove i18ngurus.com link
The web site is dead, and the Wayback Machine shows that it didn't have
much useful content before.
2013-10-21 06:32:20 -04:00
Bruce Momjian
8c64e93370 doc: fix typo in release notes
Backpatch through 8.4

Per suggestion by Amit Langote
2013-10-09 08:44:51 -04:00
Bruce Momjian
3ac00d8701 docs: update release notes for 8.4.18, 9.0.14, 9.1.10, 9.2.5, 9.3.1 2013-10-07 21:35:01 -04:00
Peter Eisentraut
50eeeb0290 doc: Correct psycopg URL 2013-10-02 21:34:59 -04:00
Andrew Dunstan
9346ed0be1 Fix relfrozenxid query in docs to include TOAST tables.
The original query ignored TOAST tables which could result in tables
needing a vacuum not being reported.

Backpatch to all live branches.
2013-09-02 14:41:02 -04:00
Robert Haas
3b35f1caa7 doc: Fix typos in conversion names.
David Christensen
2013-07-19 10:54:43 -04:00
Alvaro Herrera
e9ac1b8775 Mention extra_float_digits in floating point docs
Make it easier for readers of the FP docs to find out about possibly
truncated values.

Per complaint from Tom Duffey in message
F0E0F874-C86F-48D1-AA2A-0C5365BF5118@trillitech.com

Author: Albe Laurenz
Reviewed by: Abhijit Menon-Sen
2013-07-02 13:14:02 -04:00
Tom Lane
57a2155ebb Tweak wording in sequence-function docs to avoid PDF build failures.
Adjust the wording in the first para of "Sequence Manipulation Functions"
so that neither of the link phrases in it break across line boundaries,
in either A4- or US-page-size PDF output.  This fixes a reported build
failure for the 9.3beta2 A4 PDF docs, and future-proofs this particular
para against causing similar problems in future.  (Perhaps somebody will
fix this issue in the SGML/TeX documentation tool chain someday, but I'm
not holding my breath.)

Back-patch to all supported branches, since the same problem could rise up
to bite us in future updates if anyone changes anything earlier than this
in func.sgml.
2013-06-27 00:28:12 -04:00
Noah Misch
d5ce39365f Document effect of constant folding on CASE.
Back-patch to all supported versions.

Laurenz Albe
2013-06-26 19:53:33 -04:00
Peter Eisentraut
98be2b5611 Update CREATE FUNCTION documentation about argument names
More languages than PL/pgSQL actually support parameter names.
2013-06-19 22:33:50 -04:00
Robert Haas
0da76f384d Improve description of loread/lowrite.
Patch by me, reviewed by Tatsuo Ishii.
2013-06-12 12:26:17 -04:00
Tatsuo Ishii
f5ef162dff Add description that loread()/lowrite() are corresponding to
lo_read()/lo_write() in libpq to avoid confusion.
2013-06-11 14:30:26 +09:00
Kevin Grittner
54f68364e4 Correct the documentation of pg_rewrite.ev_attr.
It claimed the value was always zero; it is really always -1.

Per report from Hari Babu

backpatch 734fbbd1d2 to 8.4
2013-06-07 09:18:57 -05:00
Tom Lane
60482b75bc Minor docs wordsmithing.
Swap the order of a couple of phrases to clarify what the adjective
"subsequent" applies to.

Joshua Tolley
2013-06-07 00:09:14 -04:00
Bruce Momjian
4fc423970c docs: log_line_prefix session id fix
Restore 4-byte designation for docs.  Fix 9.3 doc query to properly pad
to four digits.

Backpatch to all active branches

Per suggestions from Ian Lawrence Barwick
2013-05-04 13:15:54 -04:00
Bruce Momjian
adee0d80b8 doc: fix log_line_prefix session_id %c item
Backpatch to 9.1 and earlier

Report from Ian Lawrence Barwick
2013-05-04 11:09:43 -04:00
Peter Eisentraut
2534ac426d doc: Remove excessive table cell 2013-04-04 21:34:06 -04:00
Peter Eisentraut
759d0f19dc doc: Fix number of columns in table 2013-04-04 21:16:52 -04:00
Tom Lane
bc0630bdd3 Update release notes for 9.2.4, 9.1.9, 9.0.13, 8.4.17.
Security: CVE-2013-1899, CVE-2013-1901
2013-04-01 14:11:34 -04:00
Tom Lane
dd3728db28 Document encode(bytea, 'escape')'s behavior correctly.
I changed this in commit fd15dba543, but
missed the fact that the SGML documentation of the function specified
exactly what it did.  Well, one of the two places where it's specified
documented that --- probably I looked at the other place and thought
nothing needed to be done.  Sync the two places where encode() and
decode() are described.
2013-03-28 23:15:08 -04:00
Tom Lane
225046199c Don't put <indexterm> before <term> in <varlistentry> items.
Doing that results in a broken index entry in PDF output.  We had only
a few like that, which is probably why nobody noticed before.
Standardize on putting the <term> first.

Josh Kupershmidt
2013-03-23 14:06:48 -04:00
Tom Lane
8c54115cbb Improve documentation of EXTRACT(WEEK).
The docs showed that early-January dates can be considered part of the
previous year for week-counting purposes, but failed to say explicitly
that late-December dates can also be considered part of the next year.
Fix that, and add a cross-reference to the "isoyear" field.  Per bug
#7967 from Pawel Kobylak.
2013-03-18 13:34:39 -04:00
Peter Eisentraut
e851b1f1b9 doc: Awkward phrasing fix
Josh Kupershmidt
2013-03-03 08:55:32 -05:00
Peter Eisentraut
4fd25a367f doc: Fix markup typo 2013-02-25 18:00:30 -05:00
Peter Eisentraut
570e15f16f doc: Remove PostgreSQL version number from xml2 deprecation notice
It is obviously no longer true.
2013-02-24 15:41:06 -05:00
Tom Lane
308ba8702c Prevent execution of enum_recv() from SQL.
This function was misdeclared to take cstring when it should take internal.
This at least allows crashing the server, and in principle an attacker
might be able to use the function to examine the contents of server memory.

The correct fix is to adjust the system catalog contents (and fix the
regression tests that should have caught this but failed to).  However,
asking users to correct the catalog contents in existing installations
is a pain, so as a band-aid fix for the back branches, install a check
in enum_recv() to make it throw error if called with a cstring argument.
We will later revert this in HEAD in favor of correcting the catalogs.

Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue.

Security: CVE-2013-0255
2013-02-04 16:25:25 -05:00
Tom Lane
90f77d759b Update release notes for 9.2.3, 9.1.8, 9.0.12, 8.4.16, 8.3.23. 2013-02-04 15:50:56 -05:00
Alvaro Herrera
fe738d77f1 DROP OWNED: don't try to drop tablespaces/databases
My "fix" for bugs #7578 and #6116 on DROP OWNED at fe3b5eb08a not only
misstated that it applied to REASSIGN OWNED (which it did not affect),
but it also failed to fix the problems fully, because I didn't test the
case of owned shared objects.  Thus I created a new bug, reported by
Thomas Kellerer as #7748, which would cause DROP OWNED to fail with a
not-for-user-consumption error message.  The code would attempt to drop
the database, which not only fails to work because the underlying code
does not support that, but is a pretty dangerous and undesirable thing
to be doing as well.

This patch fixes that bug by having DROP OWNED only attempt to process
shared objects when grants on them are found, ignoring ownership.

Backpatch to 8.3, which is as far as the previous bug was backpatched.
2013-01-28 19:02:26 -03:00
Peter Eisentraut
bed5141685 doc: Fix syntax of a URL
Leading white space before the "http:" is apparently treated as a
relative link at least by some browsers.
2013-01-20 19:42:01 -05:00