From 355eb0bff3c8ffd14a4c0f7c39ad81330aff6a89 Mon Sep 17 00:00:00 2001 From: Feike Steenbergen Date: Thu, 21 Dec 2017 10:08:04 +0000 Subject: [PATCH 1/1] Fix permissions check on pg_stat_get_wal_senders Commit 25fff40798fc4ac11a241bfd9ab0c45c085e2212 introduced the possibility for the pg_read_all_stats to have access to all pg_stat_* views. In the discussion, the pg_stat_replication and pg_stat_wal_receiver views were also considered to be part of that, however pg_stat_get_wal_senders was somehow not part of that commit, that seems an oversight. 1: https://www.postgresql.org/message-id/CA%2BOCxoyYxO%2BJmzv2Micj4uAaQdAi6nq0w25BPQgLLxsrvTmREw%40mail.gmail.com --- src/backend/replication/walreceiver.c | 3 ++- src/backend/replication/walsender.c | 8 +++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c index fe4e085938..85803500b1 100644 --- a/src/backend/replication/walreceiver.c +++ b/src/backend/replication/walreceiver.c @@ -1442,7 +1442,8 @@ pg_stat_get_wal_receiver(PG_FUNCTION_ARGS) if (!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) { /* - * Only superusers can see details. Other users only get the pid value + * Only superusers and members of pg_read_all_stats can see details. + * Other users only get the pid value * to know whether it is a WAL receiver, but no details. */ MemSet(&nulls[1], true, sizeof(bool) * (tupdesc->natts - 1)); diff --git a/src/backend/replication/walsender.c b/src/backend/replication/walsender.c index 6a252fcf45..fd3b47cda0 100644 --- a/src/backend/replication/walsender.c +++ b/src/backend/replication/walsender.c @@ -56,6 +56,7 @@ #include "access/xlog_internal.h" #include "access/xlogutils.h" +#include "catalog/pg_authid.h" #include "catalog/pg_type.h" #include "commands/dbcommands.h" #include "commands/defrem.h" @@ -3236,11 +3237,12 @@ pg_stat_get_wal_senders(PG_FUNCTION_ARGS) memset(nulls, 0, sizeof(nulls)); values[0] = Int32GetDatum(pid); - if (!superuser()) + if (!is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) { /* - * Only superusers can see details. Other users only get the pid - * value to know it's a walsender, but no details. + * Only superusers and members of pg_read_all_stats can see details. + * Other users only get the pid value to know it's a walsender, + * but no details. */ MemSet(&nulls[1], true, PG_STAT_GET_WAL_SENDERS_COLS - 1); } -- 2.14.3 (Apple Git-98)