diff options
author | Nathan Bossart <nathan@postgresql.org> | 2023-07-07 11:25:13 -0700 |
---|---|---|
committer | Nathan Bossart <nathan@postgresql.org> | 2023-07-07 11:25:13 -0700 |
commit | 151c22deee66a3390ca9a1c3675e29de54ae73fc (patch) | |
tree | e53584f9b07a0417e0f46d89aaba08d24b591a06 /src/backend/commands/cluster.c | |
parent | ec99d6e9c87a8ff0f4805cc0c6c12cbb89c48e06 (diff) | |
download | postgresql-151c22deee66a3390ca9a1c3675e29de54ae73fc.tar.gz postgresql-151c22deee66a3390ca9a1c3675e29de54ae73fc.zip |
Revert MAINTAIN privilege and pg_maintain predefined role.
This reverts the following commits: 4dbdb82513, c2122aae63,
5b1a879943, 9e1e9d6560, ff9618e82a, 60684dd834, 4441fc704d,
and b5d6382496. A role with the MAINTAIN privilege may be able to
use search_path tricks to escalate privileges to the table owner.
Unfortunately, it is too late in the v16 development cycle to apply
the proposed fix, i.e., restricting search_path when running
maintenance commands.
Bumps catversion.
Reviewed-by: Jeff Davis
Discussion: https://postgr.es/m/E1q7j7Y-000z1H-Hr%40gemulon.postgresql.org
Backpatch-through: 16
Diffstat (limited to 'src/backend/commands/cluster.c')
-rw-r--r-- | src/backend/commands/cluster.c | 43 |
1 files changed, 11 insertions, 32 deletions
diff --git a/src/backend/commands/cluster.c b/src/backend/commands/cluster.c index 03b24ab90f1..92c465c05b4 100644 --- a/src/backend/commands/cluster.c +++ b/src/backend/commands/cluster.c @@ -80,7 +80,6 @@ static void copy_table_data(Oid OIDNewHeap, Oid OIDOldHeap, Oid OIDOldIndex, static List *get_tables_to_cluster(MemoryContext cluster_context); static List *get_tables_to_cluster_partitioned(MemoryContext cluster_context, Oid indexOid); -static bool cluster_is_permitted_for_relation(Oid relid, Oid userid); /*--------------------------------------------------------------------------- @@ -148,8 +147,7 @@ cluster(ParseState *pstate, ClusterStmt *stmt, bool isTopLevel) tableOid = RangeVarGetRelidExtended(stmt->relation, AccessExclusiveLock, 0, - RangeVarCallbackMaintainsTable, - NULL); + RangeVarCallbackOwnsTable, NULL); rel = table_open(tableOid, NoLock); /* @@ -366,8 +364,8 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params) */ if (recheck) { - /* Check that the user still has privileges for the relation */ - if (!cluster_is_permitted_for_relation(tableOid, save_userid)) + /* Check that the user still owns the relation */ + if (!object_ownercheck(RelationRelationId, tableOid, save_userid)) { relation_close(OldHeap, AccessExclusiveLock); goto out; @@ -1642,7 +1640,7 @@ finish_heap_swap(Oid OIDOldHeap, Oid OIDNewHeap, /* - * Get a list of tables that the current user has privileges on and + * Get a list of tables that the current user owns and * have indisclustered set. Return the list in a List * of RelToCluster * (stored in the specified memory context), each one giving the tableOid * and the indexOid on which the table is already clustered. @@ -1659,8 +1657,8 @@ get_tables_to_cluster(MemoryContext cluster_context) List *rtcs = NIL; /* - * Get all indexes that have indisclustered set and that the current user - * has the appropriate privileges for. + * Get all indexes that have indisclustered set and are owned by + * appropriate user. */ indRelation = table_open(IndexRelationId, AccessShareLock); ScanKeyInit(&entry, @@ -1674,7 +1672,7 @@ get_tables_to_cluster(MemoryContext cluster_context) index = (Form_pg_index) GETSTRUCT(indexTuple); - if (!cluster_is_permitted_for_relation(index->indrelid, GetUserId())) + if (!object_ownercheck(RelationRelationId, index->indrelid, GetUserId())) continue; /* Use a permanent memory context for the result list */ @@ -1722,13 +1720,10 @@ get_tables_to_cluster_partitioned(MemoryContext cluster_context, Oid indexOid) if (get_rel_relkind(indexrelid) != RELKIND_INDEX) continue; - /* - * It's possible that the user does not have privileges to CLUSTER the - * leaf partition despite having such privileges on the partitioned - * table. We skip any partitions which the user is not permitted to - * CLUSTER. - */ - if (!cluster_is_permitted_for_relation(relid, GetUserId())) + /* Silently skip partitions which the user has no access to. */ + if (!object_ownercheck(RelationRelationId, relid, GetUserId()) && + (!object_ownercheck(DatabaseRelationId, MyDatabaseId, GetUserId()) || + IsSharedRelation(relid))) continue; /* Use a permanent memory context for the result list */ @@ -1744,19 +1739,3 @@ get_tables_to_cluster_partitioned(MemoryContext cluster_context, Oid indexOid) return rtcs; } - -/* - * Return whether userid has privileges to CLUSTER relid. If not, this - * function emits a WARNING. - */ -static bool -cluster_is_permitted_for_relation(Oid relid, Oid userid) -{ - if (pg_class_aclcheck(relid, userid, ACL_MAINTAIN) == ACLCHECK_OK) - return true; - - ereport(WARNING, - (errmsg("permission denied to cluster \"%s\", skipping it", - get_rel_name(relid)))); - return false; -} |