Skip to content

Commit 026a91f

Browse files
mhagandermhagander
committed
Move permissions check from do_pg_start_backup to pg_start_backup
And the same for do_pg_stop_backup. The code in do_pg_* is not allowed to access the catalogs. For manual base backups, the permissions check can be handled in the calling function, and for streaming base backups only users with the required permissions can get past the authentication step in the first place. Reported by Antonin Houska, diagnosed by Andres Freund
1 parent 773e4d5 commit 026a91f

File tree

1 file changed

+16
-10
lines changed
  • src/backend/access/transam

1 file changed

+16
-10
lines changed

src/backend/access/transam/xlog.c

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -8957,6 +8957,11 @@ pg_start_backup(PG_FUNCTION_ARGS)
89578957

89588958
backupidstr = text_to_cstring(backupid);
89598959

8960+
if (!superuser() && !has_rolreplication(GetUserId()))
8961+
ereport(ERROR,
8962+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
8963+
errmsg("must be superuser or replication role to run a backup")));
8964+
89608965
startpoint = do_pg_start_backup(backupidstr, fast, NULL);
89618966

89628967
snprintf(startxlogstr, sizeof(startxlogstr), "%X/%X",
@@ -8984,6 +8989,9 @@ pg_start_backup(PG_FUNCTION_ARGS)
89848989
*
89858990
* Every successfully started non-exclusive backup must be stopped by calling
89868991
* do_pg_stop_backup() or do_pg_abort_backup().
8992+
*
8993+
* It is the responsibility of the caller of this function to verify the
8994+
* permissions of the calling user!
89878995
*/
89888996
XLogRecPtr
89898997
do_pg_start_backup(const char *backupidstr, bool fast, char **labelfile)
@@ -9000,11 +9008,6 @@ do_pg_start_backup(const char *backupidstr, bool fast, char **labelfile)
90009008
FILE *fp;
90019009
StringInfoData labelfbuf;
90029010

9003-
if (!superuser() && !has_rolreplication(GetUserId()))
9004-
ereport(ERROR,
9005-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
9006-
errmsg("must be superuser or replication role to run a backup")));
9007-
90089011
if (RecoveryInProgress())
90099012
ereport(ERROR,
90109013
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
@@ -9241,6 +9244,11 @@ pg_stop_backup(PG_FUNCTION_ARGS)
92419244
XLogRecPtr stoppoint;
92429245
char stopxlogstr[MAXFNAMELEN];
92439246

9247+
if (!superuser() && !has_rolreplication(GetUserId()))
9248+
ereport(ERROR,
9249+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
9250+
errmsg("must be superuser or replication role to run a backup")));
9251+
92449252
stoppoint = do_pg_stop_backup(NULL, true);
92459253

92469254
snprintf(stopxlogstr, sizeof(stopxlogstr), "%X/%X",
@@ -9254,6 +9262,9 @@ pg_stop_backup(PG_FUNCTION_ARGS)
92549262
92559263
* If labelfile is NULL, this stops an exclusive backup. Otherwise this stops
92569264
* the non-exclusive backup specified by 'labelfile'.
9265+
*
9266+
* It is the responsibility of the caller of this function to verify the
9267+
* permissions of the calling user!
92579268
*/
92589269
XLogRecPtr
92599270
do_pg_stop_backup(char *labelfile, bool waitforarchive)
@@ -9279,11 +9290,6 @@ do_pg_stop_backup(char *labelfile, bool waitforarchive)
92799290
bool reported_waiting = false;
92809291
char *remaining;
92819292

9282-
if (!superuser() && !has_rolreplication(GetUserId()))
9283-
ereport(ERROR,
9284-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
9285-
(errmsg("must be superuser or replication role to run a backup"))));
9286-
92879293
if (RecoveryInProgress())
92889294
ereport(ERROR,
92899295
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy