diff options
| author | Magnus Hagander <magnus@hagander.net> | 2014-01-07 17:47:52 +0100 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2014-01-07 17:53:00 +0100 |
| commit | 61d4d14ee55534dd9fead189a5a339ecdf04e82a (patch) | |
| tree | fb8443ae522e6e7a81a45b83910ceec651f49947 | |
| parent | 2edf3e82c5e23bf9095cab5c7c19578d46a13e48 (diff) | |
| download | postgresql-61d4d14ee55534dd9fead189a5a339ecdf04e82a.tar.gz postgresql-61d4d14ee55534dd9fead189a5a339ecdf04e82a.zip | |
Move permissions check from do_pg_start_backup to pg_start_backup
And the same for do_pg_stop_backup. The code in do_pg_* is not allowed
to access the catalogs. For manual base backups, the permissions
check can be handled in the calling function, and for streaming
base backups only users with the required permissions can get past
the authentication step in the first place.
Reported by Antonin Houska, diagnosed by Andres Freund
| -rw-r--r-- | src/backend/access/transam/xlog.c | 16 | ||||
| -rw-r--r-- | src/backend/access/transam/xlogfuncs.c | 10 |
2 files changed, 16 insertions, 10 deletions
diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c index 190d86b7529..1e8bb8bbc69 100644 --- a/src/backend/access/transam/xlog.c +++ b/src/backend/access/transam/xlog.c @@ -9412,6 +9412,9 @@ issue_xlog_fsync(int fd, uint32 log, uint32 seg) * * Every successfully started non-exclusive backup must be stopped by calling * do_pg_stop_backup() or do_pg_abort_backup(). + * + * It is the responsibility of the caller of this function to verify the + * permissions of the calling user! */ XLogRecPtr do_pg_start_backup(const char *backupidstr, bool fast, char **labelfile) @@ -9431,11 +9434,6 @@ do_pg_start_backup(const char *backupidstr, bool fast, char **labelfile) backup_started_in_recovery = RecoveryInProgress(); - if (!superuser() && !has_rolreplication(GetUserId())) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("must be superuser or replication role to run a backup"))); - /* * Currently only non-exclusive backup can be taken during recovery. */ @@ -9731,6 +9729,9 @@ pg_start_backup_callback(int code, Datum arg) * If labelfile is NULL, this stops an exclusive backup. Otherwise this stops * the non-exclusive backup specified by 'labelfile'. + * + * It is the responsibility of the caller of this function to verify the + * permissions of the calling user! */ XLogRecPtr do_pg_stop_backup(char *labelfile, bool waitforarchive) @@ -9761,11 +9762,6 @@ do_pg_stop_backup(char *labelfile, bool waitforarchive) backup_started_in_recovery = RecoveryInProgress(); - if (!superuser() && !has_rolreplication(GetUserId())) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - (errmsg("must be superuser or replication role to run a backup")))); - /* * Currently only non-exclusive backup can be taken during recovery. */ diff --git a/src/backend/access/transam/xlogfuncs.c b/src/backend/access/transam/xlogfuncs.c index f3c8a09c2aa..b27bf76a22e 100644 --- a/src/backend/access/transam/xlogfuncs.c +++ b/src/backend/access/transam/xlogfuncs.c @@ -54,6 +54,11 @@ pg_start_backup(PG_FUNCTION_ARGS) backupidstr = text_to_cstring(backupid); + if (!superuser() && !has_rolreplication(GetUserId())) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("must be superuser or replication role to run a backup"))); + startpoint = do_pg_start_backup(backupidstr, fast, NULL); snprintf(startxlogstr, sizeof(startxlogstr), "%X/%X", @@ -80,6 +85,11 @@ pg_stop_backup(PG_FUNCTION_ARGS) XLogRecPtr stoppoint; char stopxlogstr[MAXFNAMELEN]; + if (!superuser() && !has_rolreplication(GetUserId())) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + (errmsg("must be superuser or replication role to run a backup")))); + stoppoint = do_pg_stop_backup(NULL, true); snprintf(stopxlogstr, sizeof(stopxlogstr), "%X/%X", |