Skip to content

Commit df7fe9e

Browse files
peterepetere
committed
Disallow dropping rules on system tables by default
This was previously not covered by allow_system_table_mods, but now it is. The impact in practice is probably low, but this makes it consistent with most other DDL commands. Reviewed-by: Robert Haas <robertmhaas@gmail.com> Discussion: https://www.postgresql.org/message-id/flat/ee9df1af-c0d8-7c82-5be7-39ce4e3b0a9d%402ndquadrant.com
1 parent 8c6d30f commit df7fe9e

File tree

3 files changed

+27
-2
lines changed

3 files changed

+27
-2
lines changed

src/backend/rewrite/rewriteRemove.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
#include "access/htup_details.h"
1919
#include "access/sysattr.h"
2020
#include "access/table.h"
21+
#include "catalog/catalog.h"
2122
#include "catalog/dependency.h"
2223
#include "catalog/indexing.h"
2324
#include "catalog/namespace.h"
@@ -28,6 +29,7 @@
2829
#include "utils/fmgroids.h"
2930
#include "utils/inval.h"
3031
#include "utils/lsyscache.h"
32+
#include "utils/rel.h"
3133
#include "utils/syscache.h"
3234

3335
/*
@@ -72,6 +74,12 @@ RemoveRewriteRuleById(Oid ruleOid)
7274
eventRelationOid = ((Form_pg_rewrite) GETSTRUCT(tuple))->ev_class;
7375
event_relation = table_open(eventRelationOid, AccessExclusiveLock);
7476

77+
if (!allowSystemTableMods && IsSystemRelation(event_relation))
78+
ereport(ERROR,
79+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
80+
errmsg("permission denied: \"%s\" is a system catalog",
81+
RelationGetRelationName(event_relation))));
82+
7583
/*
7684
* Now delete the pg_rewrite tuple for the rule
7785
*/

src/test/modules/unsafe_tests/expected/alter_system_table.out

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,16 @@ CREATE RULE r1 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
8181
ERROR: permission denied: "pg_description" is a system catalog
8282
ALTER RULE r1 ON pg_description RENAME TO r2;
8383
ERROR: permission denied: "pg_description" is a system catalog
84-
--DROP RULE r2 ON pg_description;
84+
-- now make one to test dropping:
85+
SET allow_system_table_mods TO on;
86+
CREATE RULE r2 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
87+
RESET allow_system_table_mods;
88+
DROP RULE r2 ON pg_description;
89+
ERROR: permission denied: "pg_description" is a system catalog
90+
-- cleanup:
91+
SET allow_system_table_mods TO on;
92+
DROP RULE r2 ON pg_description;
93+
RESET allow_system_table_mods;
8594
SET allow_system_table_mods = on;
8695
-- create new table in pg_catalog
8796
BEGIN;

src/test/modules/unsafe_tests/sql/alter_system_table.sql

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,15 @@ ALTER TRIGGER t1 ON pg_description RENAME TO t2;
7979
-- rules
8080
CREATE RULE r1 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
8181
ALTER RULE r1 ON pg_description RENAME TO r2;
82-
--DROP RULE r2 ON pg_description;
82+
-- now make one to test dropping:
83+
SET allow_system_table_mods TO on;
84+
CREATE RULE r2 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
85+
RESET allow_system_table_mods;
86+
DROP RULE r2 ON pg_description;
87+
-- cleanup:
88+
SET allow_system_table_mods TO on;
89+
DROP RULE r2 ON pg_description;
90+
RESET allow_system_table_mods;
8391

8492

8593
SET allow_system_table_mods = on;

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy