diff options
| author | Nathan Bossart <nathan@postgresql.org> | 2023-07-07 11:25:13 -0700 |
|---|---|---|
| committer | Nathan Bossart <nathan@postgresql.org> | 2023-07-07 11:25:13 -0700 |
| commit | 151c22deee66a3390ca9a1c3675e29de54ae73fc (patch) | |
| tree | e53584f9b07a0417e0f46d89aaba08d24b591a06 /src/backend/commands/tablecmds.c | |
| parent | ec99d6e9c87a8ff0f4805cc0c6c12cbb89c48e06 (diff) | |
| download | postgresql-151c22deee66a3390ca9a1c3675e29de54ae73fc.tar.gz postgresql-151c22deee66a3390ca9a1c3675e29de54ae73fc.zip | |
Revert MAINTAIN privilege and pg_maintain predefined role.
This reverts the following commits: 4dbdb82513, c2122aae63,
5b1a879943, 9e1e9d6560, ff9618e82a, 60684dd834, 4441fc704d,
and b5d6382496. A role with the MAINTAIN privilege may be able to
use search_path tricks to escalate privileges to the table owner.
Unfortunately, it is too late in the v16 development cycle to apply
the proposed fix, i.e., restricting search_path when running
maintenance commands.
Bumps catversion.
Reviewed-by: Jeff Davis
Discussion: https://postgr.es/m/E1q7j7Y-000z1H-Hr%40gemulon.postgresql.org
Backpatch-through: 16
Diffstat (limited to 'src/backend/commands/tablecmds.c')
| -rw-r--r-- | src/backend/commands/tablecmds.c | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index fce5e6f2209..5316f583081 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -16978,16 +16978,15 @@ AtEOSubXact_on_commit_actions(bool isCommit, SubTransactionId mySubid, * This is intended as a callback for RangeVarGetRelidExtended(). It allows * the relation to be locked only if (1) it's a plain or partitioned table, * materialized view, or TOAST table and (2) the current user is the owner (or - * the superuser) or has been granted MAINTAIN. This meets the - * permission-checking needs of CLUSTER, REINDEX TABLE, and REFRESH - * MATERIALIZED VIEW; we expose it here so that it can be used by all. + * the superuser). This meets the permission-checking needs of CLUSTER, + * REINDEX TABLE, and REFRESH MATERIALIZED VIEW; we expose it here so that it + * can be used by all. */ void -RangeVarCallbackMaintainsTable(const RangeVar *relation, - Oid relId, Oid oldRelId, void *arg) +RangeVarCallbackOwnsTable(const RangeVar *relation, + Oid relId, Oid oldRelId, void *arg) { char relkind; - AclResult aclresult; /* Nothing to do if the relation was not found. */ if (!OidIsValid(relId)) @@ -17008,9 +17007,8 @@ RangeVarCallbackMaintainsTable(const RangeVar *relation, errmsg("\"%s\" is not a table or materialized view", relation->relname))); /* Check permissions */ - aclresult = pg_class_aclcheck(relId, GetUserId(), ACL_MAINTAIN); - if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, OBJECT_TABLE, relation->relname); + if (!object_ownercheck(RelationRelationId, relId, GetUserId())) + aclcheck_error(ACLCHECK_NOT_OWNER, get_relkind_objtype(get_rel_relkind(relId)), relation->relname); } /* |