aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Eisentraut <peter@eisentraut.org>2019-11-29 10:04:45 +0100
committerPeter Eisentraut <peter@eisentraut.org>2019-11-29 10:22:13 +0100
commit508bf95b767140ec1a339bcb53538d21deb9d995 (patch)
treed9d21786d8875f1b7c4a787954c14a5a08b5b01d
parentd4feadeca1591fd5fe91bdf73a7897553f5366d7 (diff)
downloadpostgresql-508bf95b767140ec1a339bcb53538d21deb9d995.tar.gz
postgresql-508bf95b767140ec1a339bcb53538d21deb9d995.zip
Remove any-user DML capability from allow_system_table_mods
Previously, allow_system_table_mods allowed a non-superuser to do DML on a system table without further permission checks. This has been removed, as it was quite inconsistent with the rest of the meaning of this setting. (Since allow_system_table_mods was previously only accessible with a server restart, it is unlikely that anyone was using this possibility.) Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Discussion: https://www.postgresql.org/message-id/flat/8b00ea5e-28a7-88ba-e848-21528b632354%402ndquadrant.com
-rw-r--r--src/backend/catalog/aclchk.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index bed10f94092..ea5666ebb8d 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -3851,7 +3851,7 @@ pg_class_aclmask(Oid table_oid, Oid roleid,
/*
* Deny anyone permission to update a system catalog unless
- * pg_authid.rolsuper is set. Also allow it if allowSystemTableMods.
+ * pg_authid.rolsuper is set.
*
* As of 7.4 we have some updatable system views; those shouldn't be
* protected in this way. Assume the view rules can take care of
@@ -3860,8 +3860,7 @@ pg_class_aclmask(Oid table_oid, Oid roleid,
if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE)) &&
IsSystemClass(table_oid, classForm) &&
classForm->relkind != RELKIND_VIEW &&
- !superuser_arg(roleid) &&
- !allowSystemTableMods)
+ !superuser_arg(roleid))
{
#ifdef ACLDEBUG
elog(DEBUG2, "permission denied for system catalog update");