Hi When using a functional index on a table, we realized that the permission check done in pg_stats was incorrect and thus preventing valid access to the statistics from users.
How to reproduce: create table tbl1 (a integer, b integer); insert into tbl1 select x, x % 50 from generate_series(1, 200000) x; create index on tbl1 using btree ((a % (b + 1))); analyze ; create user demo_priv encrypted password 'demo'; revoke ALL on SCHEMA public from PUBLIC ; grant select on tbl1 to demo_priv; grant usage on schema public to demo_priv; And as demo_priv user: select tablename, attname from pg_stats where tablename like 'tbl1%'; Returns: tablename | attname -----------+--------- tbl1 | a tbl1 | b (2 rows) Expected: tablename | attname ---------------+--------- tbl1 | a tbl1 | b tbl1_expr_idx | expr (3 rows) The attached patch fixes this by introducing a second path in privilege check in pg_stats view. I have not written a regression test yet, mainly because I'm not 100% certain where to write it. Given some hints, I would happily add it to this patch. Regards Pierre Ducroquet
>From c2f638a9491e103311161208715dfcbcb55a2fbd Mon Sep 17 00:00:00 2001 From: Pierre Ducroquet <p.p...@pinaraf.info> Date: Sat, 6 Apr 2019 13:22:29 +0200 Subject: [PATCH] Use a different permission check path for indexes and relations in pg_stats pg_statistic contains information about both table attributes and functional indexes, but the permission check done in pg_stats was only valid for table attributes. This patch thus implements a seperate permission check for functional indexes, that verifies the access for each attribute contained in the index. --- src/backend/catalog/system_views.sql | 10 +++++++++- src/test/regress/expected/rules.out | 4 +++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index 72f786d6f8..a1e8ea969c 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -248,7 +248,15 @@ CREATE VIEW pg_stats WITH (security_barrier) AS JOIN pg_attribute a ON (c.oid = attrelid AND attnum = s.staattnum) LEFT JOIN pg_namespace n ON (n.oid = c.relnamespace) WHERE NOT attisdropped - AND has_column_privilege(c.oid, a.attnum, 'select') + AND (c.relkind = 'r' AND has_column_privilege(c.oid, a.attnum, 'select'::text) + OR + (c.relkind = 'i' AND NOT(EXISTS( + SELECT 1 FROM pg_depend + WHERE pg_depend.objid = c.oid + AND pg_depend.refobjsubid > 0 + AND NOT has_column_privilege(pg_depend.refobjid, pg_depend.refobjsubid::smallint, 'select'::text))) + ) + ) AND (c.relrowsecurity = false OR NOT row_security_active(c.oid)); REVOKE ALL on pg_statistic FROM public; diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out index bf7fca54ee..34953ae4f4 100644 --- a/src/test/regress/expected/rules.out +++ b/src/test/regress/expected/rules.out @@ -2262,7 +2262,9 @@ pg_stats| SELECT n.nspname AS schemaname, JOIN pg_class c ON ((c.oid = s.starelid))) JOIN pg_attribute a ON (((c.oid = a.attrelid) AND (a.attnum = s.staattnum)))) LEFT JOIN pg_namespace n ON ((n.oid = c.relnamespace))) - WHERE ((NOT a.attisdropped) AND has_column_privilege(c.oid, a.attnum, 'select'::text) AND ((c.relrowsecurity = false) OR (NOT row_security_active(c.oid)))); + WHERE ((NOT a.attisdropped) AND (((c.relkind = 'r'::"char") AND has_column_privilege(c.oid, a.attnum, 'select'::text)) OR ((c.relkind = 'i'::"char") AND (NOT (EXISTS ( SELECT 1 + FROM pg_depend + WHERE ((pg_depend.objid = c.oid) AND (pg_depend.refobjsubid > 0) AND (NOT has_column_privilege(pg_depend.refobjid, (pg_depend.refobjsubid)::smallint, 'select'::text)))))))) AND ((c.relrowsecurity = false) OR (NOT row_security_active(c.oid)))); pg_tables| SELECT n.nspname AS schemaname, c.relname AS tablename, pg_get_userbyid(c.relowner) AS tableowner, -- 2.20.1