On 12/18/12 12:09 PM, Peter Eisentraut wrote:
> There are some system administration functions that have hardcoded
> superuser checks, specifically:
>
> pg_reload_conf
> pg_rotate_logfile
> pg_read_file
> pg_read_file_all
> pg_read_binary_file
> pg_read_binary_file_all
> pg_stat_file
> pg_ls_dir
>
> Some of these are useful in monitoring or maintenance tools, and the
> hardcoded superuser checks require that these tools run with maximum
> privileges. Couldn't we just install these functions without default
> privileges and allow users to grant privileges as necessary?
This is still being debated, but just for the heck of it, here is a
patch for how this implementation would look like.
diff --git a/src/backend/catalog/system_views.sql
b/src/backend/catalog/system_views.sql
index c479c23..f6c2c53 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -773,3 +773,16 @@ CREATE FUNCTION ts_debug(IN document text,
CREATE OR REPLACE FUNCTION
pg_start_backup(label text, fast boolean DEFAULT false)
RETURNS text STRICT VOLATILE LANGUAGE internal AS 'pg_start_backup';
+
+
+/*
+Revoke privileges for functions that should be accessible by
+superusers only by default. We can't set the privileges in pg_proc.h,
+because bootstrap mode doesn't handle aclitem arrays.
+*/
+REVOKE EXECUTE ON FUNCTION pg_read_file(text, bigint, bigint) FROM PUBLIC;
+REVOKE EXECUTE ON FUNCTION pg_read_file(text) FROM PUBLIC;
+REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text, bigint, bigint) FROM
PUBLIC;
+REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text) FROM PUBLIC;
+REVOKE EXECUTE ON FUNCTION pg_stat_file(text) FROM PUBLIC;
+REVOKE EXECUTE ON FUNCTION pg_ls_dir(text) FROM PUBLIC;
diff --git a/src/backend/utils/adt/genfile.c b/src/backend/utils/adt/genfile.c
index f53c7d4..c545dd8 100644
--- a/src/backend/utils/adt/genfile.c
+++ b/src/backend/utils/adt/genfile.c
@@ -174,11 +174,6 @@
int64 bytes_to_read = PG_GETARG_INT64(2);
char *filename;
- if (!superuser())
- ereport(ERROR,
- (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- (errmsg("must be superuser to read files"))));
-
filename = convert_and_check_filename(filename_t);
if (bytes_to_read < 0)
@@ -198,11 +193,6 @@
text *filename_t = PG_GETARG_TEXT_P(0);
char *filename;
- if (!superuser())
- ereport(ERROR,
- (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- (errmsg("must be superuser to read files"))));
-
filename = convert_and_check_filename(filename_t);
PG_RETURN_TEXT_P(read_text_file(filename, 0, -1));
@@ -219,11 +209,6 @@
int64 bytes_to_read = PG_GETARG_INT64(2);
char *filename;
- if (!superuser())
- ereport(ERROR,
- (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- (errmsg("must be superuser to read files"))));
-
filename = convert_and_check_filename(filename_t);
if (bytes_to_read < 0)
@@ -243,11 +228,6 @@
text *filename_t = PG_GETARG_TEXT_P(0);
char *filename;
- if (!superuser())
- ereport(ERROR,
- (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- (errmsg("must be superuser to read files"))));
-
filename = convert_and_check_filename(filename_t);
PG_RETURN_BYTEA_P(read_binary_file(filename, 0, -1));
@@ -267,11 +247,6 @@
HeapTuple tuple;
TupleDesc tupdesc;
- if (!superuser())
- ereport(ERROR,
- (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- (errmsg("must be superuser to get file
information"))));
-
filename = convert_and_check_filename(filename_t);
if (stat(filename, &fst) < 0)
@@ -331,11 +306,6 @@
struct dirent *de;
directory_fctx *fctx;
- if (!superuser())
- ereport(ERROR,
- (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- (errmsg("must be superuser to get directory
listings"))));
-
if (SRF_IS_FIRSTCALL())
{
MemoryContext oldcontext;
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
