diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2006-01-13 18:06:45 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2006-01-13 18:06:45 +0000 |
| commit | 1564e92cea27a22ace7da635fe73fc23f96f8d4e (patch) | |
| tree | c3cc191a5dd42f56c7b56e4405e98ebafa5d488d /src | |
| parent | 4b3252c4b8533bacfe6b14d866d2cdae79574b1c (diff) | |
| download | postgresql-1564e92cea27a22ace7da635fe73fc23f96f8d4e.tar.gz postgresql-1564e92cea27a22ace7da635fe73fc23f96f8d4e.zip | |
Require the issuer of CREATE TYPE to own the functions mentioned in the
type definition. Because use of a type's I/O conversion functions isn't
access-checked, CREATE TYPE amounts to granting public execute permissions
on the functions, and so allowing it to anybody means that someone could
theoretically gain access to a function he's not supposed to be able to
execute. The parameter-type restrictions already enforced by CREATE TYPE
make it fairly unlikely that this oversight is meaningful in practice,
but still it seems like a good idea to plug the hole going forward.
Also, document the implicit grant just in case anybody gets the idea of
building I/O functions that might need security restrictions.
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/commands/typecmds.c | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/src/backend/commands/typecmds.c b/src/backend/commands/typecmds.c index 389fe133a58..143695252f4 100644 --- a/src/backend/commands/typecmds.c +++ b/src/backend/commands/typecmds.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/commands/typecmds.c,v 1.85 2005/11/22 18:17:09 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/commands/typecmds.c,v 1.86 2006/01/13 18:06:45 tgl Exp $ * * DESCRIPTION * The "DefineFoo" routines take the parse tree and pick out the @@ -331,6 +331,30 @@ DefineType(List *names, List *parameters) analyzeOid = findTypeAnalyzeFunction(analyzeName, typoid); /* + * Check permissions on functions. We choose to require the creator/owner + * of a type to also own the underlying functions. Since creating a type + * is tantamount to granting public execute access on the functions, the + * minimum sane check would be for execute-with-grant-option. But we don't + * have a way to make the type go away if the grant option is revoked, so + * ownership seems better. + */ + if (inputOid && !pg_proc_ownercheck(inputOid, GetUserId())) + aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC, + NameListToString(inputName)); + if (outputOid && !pg_proc_ownercheck(outputOid, GetUserId())) + aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC, + NameListToString(outputName)); + if (receiveOid && !pg_proc_ownercheck(receiveOid, GetUserId())) + aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC, + NameListToString(receiveName)); + if (sendOid && !pg_proc_ownercheck(sendOid, GetUserId())) + aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC, + NameListToString(sendName)); + if (analyzeOid && !pg_proc_ownercheck(analyzeOid, GetUserId())) + aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC, + NameListToString(analyzeName)); + + /* * now have TypeCreate do all the real work. */ typoid = |