diff options
| author | Stephen Frost | 2016-04-07 01:45:32 +0000 |
|---|---|---|
| committer | Stephen Frost | 2016-04-07 01:45:32 +0000 |
| commit | 1574783b4ced0356fbc626af1a1a469faa6b41e1 (patch) | |
| tree | 1b999ee5c4a940bf220ee491303eae73cffa637c /src/backend/postmaster | |
| parent | 23f34fa4ba358671adab16773e79c17c92cbc870 (diff) | |
Use GRANT system to manage access to sensitive functions
Now that pg_dump will properly dump out any ACL changes made to
functions which exist in pg_catalog, switch to using the GRANT system
to manage access to those functions.
This means removing 'if (!superuser()) ereport()' checks from the
functions themselves and then REVOKEing EXECUTE right from 'public' for
these functions in system_views.sql.
Reviews by Alexander Korotkov, Jose Luis Tallon
Diffstat (limited to 'src/backend/postmaster')
| -rw-r--r-- | src/backend/postmaster/pgstat.c | 24 |
1 files changed, 9 insertions, 15 deletions
diff --git a/src/backend/postmaster/pgstat.c b/src/backend/postmaster/pgstat.c index 1467355fdda..41f43749b50 100644 --- a/src/backend/postmaster/pgstat.c +++ b/src/backend/postmaster/pgstat.c @@ -1217,6 +1217,9 @@ pgstat_drop_relation(Oid relid) * pgstat_reset_counters() - * * Tell the statistics collector to reset counters for our database. + * + * Permission checking for this function is managed through the normal + * GRANT system. * ---------- */ void @@ -1227,11 +1230,6 @@ pgstat_reset_counters(void) if (pgStatSock == PGINVALID_SOCKET) return; - if (!superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("must be superuser to reset statistics counters"))); - pgstat_setheader(&msg.m_hdr, PGSTAT_MTYPE_RESETCOUNTER); msg.m_databaseid = MyDatabaseId; pgstat_send(&msg, sizeof(msg)); @@ -1241,6 +1239,9 @@ pgstat_reset_counters(void) * pgstat_reset_shared_counters() - * * Tell the statistics collector to reset cluster-wide shared counters. + * + * Permission checking for this function is managed through the normal + * GRANT system. * ---------- */ void @@ -1251,11 +1252,6 @@ pgstat_reset_shared_counters(const char *target) if (pgStatSock == PGINVALID_SOCKET) return; - if (!superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("must be superuser to reset statistics counters"))); - if (strcmp(target, "archiver") == 0) msg.m_resettarget = RESET_ARCHIVER; else if (strcmp(target, "bgwriter") == 0) @@ -1274,6 +1270,9 @@ pgstat_reset_shared_counters(const char *target) * pgstat_reset_single_counter() - * * Tell the statistics collector to reset a single counter. + * + * Permission checking for this function is managed through the normal + * GRANT system. * ---------- */ void @@ -1284,11 +1283,6 @@ pgstat_reset_single_counter(Oid objoid, PgStat_Single_Reset_Type type) if (pgStatSock == PGINVALID_SOCKET) return; - if (!superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("must be superuser to reset statistics counters"))); - pgstat_setheader(&msg.m_hdr, PGSTAT_MTYPE_RESETSINGLECOUNTER); msg.m_databaseid = MyDatabaseId; msg.m_resettype = type; |