Skip to content

Commit e79350f

Browse files
sfrostsfrost
committed
Remove explicit superuser checks in favor of ACLs
This removes the explicit superuser checks in the various file-access functions in the backend, specifically pg_ls_dir(), pg_read_file(), pg_read_binary_file(), and pg_stat_file(). Instead, EXECUTE is REVOKE'd from public for these, meaning that only a superuser is able to run them by default, but access to them can be GRANT'd to other roles. Reviewed-By: Michael Paquier Discussion: https://postgr.es/m/20171231191939.GR2416%40tamriel.snowman.net
1 parent 94c1f9b commit e79350f

File tree

2 files changed

+14
-20
lines changed

2 files changed

+14
-20
lines changed

src/backend/catalog/system_views.sql

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1156,6 +1156,20 @@ REVOKE EXECUTE ON FUNCTION lo_export(oid, text) FROM public;
11561156
REVOKE EXECUTE ON FUNCTION pg_ls_logdir() FROM public;
11571157
REVOKE EXECUTE ON FUNCTION pg_ls_waldir() FROM public;
11581158

1159+
REVOKE EXECUTE ON FUNCTION pg_read_file(text) FROM public;
1160+
REVOKE EXECUTE ON FUNCTION pg_read_file(text,bigint,bigint) FROM public;
1161+
REVOKE EXECUTE ON FUNCTION pg_read_file(text,bigint,bigint,boolean) FROM public;
1162+
1163+
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text) FROM public;
1164+
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint) FROM public;
1165+
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint,boolean) FROM public;
1166+
1167+
REVOKE EXECUTE ON FUNCTION pg_stat_file(text) FROM public;
1168+
REVOKE EXECUTE ON FUNCTION pg_stat_file(text,boolean) FROM public;
1169+
1170+
REVOKE EXECUTE ON FUNCTION pg_ls_dir(text) FROM public;
1171+
REVOKE EXECUTE ON FUNCTION pg_ls_dir(text,boolean,boolean) FROM public;
1172+
11591173
--
11601174
-- We also set up some things as accessible to standard roles.
11611175
--

src/backend/utils/adt/genfile.c

Lines changed: 0 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -195,11 +195,6 @@ pg_read_file(PG_FUNCTION_ARGS)
195195
char *filename;
196196
text *result;
197197

198-
if (!superuser())
199-
ereport(ERROR,
200-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
201-
(errmsg("must be superuser to read files"))));
202-
203198
/* handle optional arguments */
204199
if (PG_NARGS() >= 3)
205200
{
@@ -236,11 +231,6 @@ pg_read_binary_file(PG_FUNCTION_ARGS)
236231
char *filename;
237232
bytea *result;
238233

239-
if (!superuser())
240-
ereport(ERROR,
241-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
242-
(errmsg("must be superuser to read files"))));
243-
244234
/* handle optional arguments */
245235
if (PG_NARGS() >= 3)
246236
{
@@ -313,11 +303,6 @@ pg_stat_file(PG_FUNCTION_ARGS)
313303
TupleDesc tupdesc;
314304
bool missing_ok = false;
315305

316-
if (!superuser())
317-
ereport(ERROR,
318-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
319-
(errmsg("must be superuser to get file information"))));
320-
321306
/* check the optional argument */
322307
if (PG_NARGS() == 2)
323308
missing_ok = PG_GETARG_BOOL(1);
@@ -399,11 +384,6 @@ pg_ls_dir(PG_FUNCTION_ARGS)
399384
directory_fctx *fctx;
400385
MemoryContext oldcontext;
401386

402-
if (!superuser())
403-
ereport(ERROR,
404-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
405-
(errmsg("must be superuser to get directory listings"))));
406-
407387
if (SRF_IS_FIRSTCALL())
408388
{
409389
bool missing_ok = false;

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy