Re: [HACKERS] superusers are members of all roles?

Wed, 02 Nov 2011 12:28:02 -0700 


On 09/11/2011 09:40 PM, Andrew Dunstan wrote:



On 09/09/2011 11:34 PM, Bruce Momjian wrote:

Robert Haas wrote:

On Sat, May 7, 2011 at 11:42 PM, Bruce Momjian<br...@momjian.us>  
wrote:

Is this a TODO?

I think so.

Added to TODO:


    Address problem where superusers are assumed to be members of all 
groups



        
http://archives.postgresql.org/pgsql-hackers/2011-04/msg00337.php


This turns out to be a one-liner.




Patch with a small docs addition also. Adding to Nov commitfest.

cheers

andrew



diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 5d543cb..baed090 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -210,7 +210,10 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        in <productname>PostgreSQL</>; a <literal>+</> mark really means
        <quote>match any of the roles that are directly or indirectly members
        of this role</>, while a name without a <literal>+</> mark matches
-       only that specific role.)
+       only that specific role.) For this purpose, a superuser is only
+       considered to be a member of a role if they are explicitly a member
+       of the role, directly or indirectly, and not just by virtue of
+       being a superuser.
        Multiple user names can be supplied by separating them with commas.
        A separate file containing user names can be specified by preceding the
        file name with <literal>@</>.
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 1ee030f..1c84a60 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -442,8 +442,13 @@ is_member(Oid userid, const char *role)
 	if (!OidIsValid(roleid))
 		return false;			/* if target role not exist, say "no" */
 
-	/* See if user is directly or indirectly a member of role */
-	return is_member_of_role(userid, roleid);
+	/* 
+	 * See if user is directly or indirectly a member of role.
+	 * For this purpose, a superuser is not considered to be automatically
+	 * a member of the role, so group auth only applies to explicit
+	 * membership.
+	 */
+	return is_member_of_role_nosuper(userid, roleid);
 }
 
 /*

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers






















					Reply via email to