diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2022-07-19 17:22:03 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2022-07-19 17:22:31 -0400 |
| commit | a2944d8724522c5659c024b191f2fbfa9770faaf (patch) | |
| tree | a42857837a7d2885d116ff1767c6c35d87d7d9d5 /src/backend/commands/extension.c | |
| parent | 795ccd44037cbe14a7366d90de94764a7136deb7 (diff) | |
| download | postgresql-a2944d8724522c5659c024b191f2fbfa9770faaf.tar.gz postgresql-a2944d8724522c5659c024b191f2fbfa9770faaf.zip | |
Fix missed corner cases for grantable permissions on GUCs.
We allow users to set the values of not-yet-loaded extension GUCs,
remembering those values in "placeholder" GUC entries. When/if
the extension is loaded later in the session, we need to verify that
the user had permissions to set the GUC. That was done correctly
before commit a0ffa885e, but as of that commit, we'd check the
permissions of the active role when the LOAD happens, not the role
that had set the value. (This'd be a security bug if it had made it
into a released version.)
In principle this is simple enough to fix: we just need to remember
the exact role OID that set each GUC value, and use that not
GetUserID() when verifying permissions. Maintaining that data in
the guc.c data structures is slightly tedious, but fortunately it's
all basically just copy-n-paste of the logic for tracking the
GucSource of each setting, as we were already doing.
Another oversight is that validate_option_array_item() hadn't
been taught to check for granted GUC privileges. This appears
to manifest only in that ALTER ROLE/DATABASE RESET ALL will
fail to reset settings that the user should be allowed to reset.
Patch by myself and Nathan Bossart, per report from Nathan Bossart.
Back-patch to v15 where the faulty code came in.
Discussion: https://postgr.es/m/20220706224727.GA2158260@nathanxps13
Diffstat (limited to 'src/backend/commands/extension.c')
| -rw-r--r-- | src/backend/commands/extension.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/backend/commands/extension.c b/src/backend/commands/extension.c index 767d9b96190..eb4878701a1 100644 --- a/src/backend/commands/extension.c +++ b/src/backend/commands/extension.c @@ -907,6 +907,9 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control, * We use the equivalent of a function SET option to allow the setting to * persist for exactly the duration of the script execution. guc.c also * takes care of undoing the setting on error. + * + * log_min_messages can't be set by ordinary users, so for that one we + * pretend to be superuser. */ save_nestlevel = NewGUCNestLevel(); @@ -915,9 +918,10 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control, PGC_USERSET, PGC_S_SESSION, GUC_ACTION_SAVE, true, 0, false); if (log_min_messages < WARNING) - (void) set_config_option("log_min_messages", "warning", - PGC_SUSET, PGC_S_SESSION, - GUC_ACTION_SAVE, true, 0, false); + (void) set_config_option_ext("log_min_messages", "warning", + PGC_SUSET, PGC_S_SESSION, + BOOTSTRAP_SUPERUSERID, + GUC_ACTION_SAVE, true, 0, false); /* * Similarly disable check_function_bodies, to ensure that SQL functions |