From 6198420ad8a72e37f4fe4964616b17e0fd33b808 Mon Sep 17 00:00:00 2001
From: Joe Conway
Date: Mon, 28 Mar 2022 15:10:04 -0400
Subject: Use has_privs_for_roles for predefined role checks
Generally if a role is granted membership to another role with NOINHERIT
they must use SET ROLE to access the privileges of that role, however
with predefined roles the membership and privilege is conflated. Fix that
by replacing is_member_of_role with has_privs_for_role for predefined
roles. Patch does not remove is_member_of_role from acl.h, but it does
add a warning not to use that function for privilege checking. Not
backpatched based on hackers list discussion.
Author: Joshua Brindle
Reviewed-by: Stephen Frost, Nathan Bossart, Joe Conway
Discussion: https://postgr.es/m/flat/CAGB+Vh4Zv_TvKt2tv3QNS6tUM_F_9icmuj0zjywwcgVi4PAhFA@mail.gmail.com
---
doc/src/sgml/adminpack.sgml | 6 +++---
doc/src/sgml/catalogs.sgml | 12 ++++++------
doc/src/sgml/func.sgml | 12 ++++++------
doc/src/sgml/monitoring.sgml | 2 +-
doc/src/sgml/pgbuffercache.sgml | 2 +-
doc/src/sgml/pgfreespacemap.sgml | 2 +-
doc/src/sgml/pgrowlocks.sgml | 2 +-
doc/src/sgml/pgstatstatements.sgml | 2 +-
doc/src/sgml/pgvisibility.sgml | 4 ++--
9 files changed, 22 insertions(+), 22 deletions(-)
(limited to 'doc/src')
diff --git a/doc/src/sgml/adminpack.sgml b/doc/src/sgml/adminpack.sgml
index 0dd89be3534..5702456cd25 100644
--- a/doc/src/sgml/adminpack.sgml
+++ b/doc/src/sgml/adminpack.sgml
@@ -22,9 +22,9 @@
functions in , which
provide read-only access.)
Only files within the database cluster directory can be accessed, unless the
- user is a superuser or given one of the pg_read_server_files, or pg_write_server_files
- roles, as appropriate for the function, but either a relative or absolute path is
- allowable.
+ user is a superuser or given privileges of one of the pg_read_server_files,
+ or pg_write_server_files roles, as appropriate for the function, but either a
+ relative or absolute path is allowable.
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 94f01e40996..23e06b81a4f 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -10044,8 +10044,8 @@ SCRAM-SHA-256$<iteration count>:&l
By default, the pg_backend_memory_contexts view can be
- read only by superusers or members of the pg_read_all_stats
- role.
+ read only by superusers or roles with the privileges of the
+ pg_read_all_stats role.
@@ -12552,7 +12552,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
Configuration file the current value was set in (null for
values set from sources other than configuration files, or when
- examined by a user who is neither a superuser or a member of
+ examined by a user who neither is a superuser nor has privileges of
pg_read_all_settings); helpful when using
include directives in configuration files
@@ -12565,7 +12565,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
Line number within the configuration file the current value was
set at (null for values set from sources other than configuration files,
- or when examined by a user who is neither a superuser or a member of
+ or when examined by a user who neither is a superuser nor has privileges of
pg_read_all_settings).
@@ -12941,8 +12941,8 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
By default, the pg_shmem_allocations view can be
- read only by superusers or members of the pg_read_all_stats
- role.
+ read only by superusers or roles with privileges of the
+ pg_read_all_stats role.
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 8a802fb2253..3a9d62b4084 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -25435,7 +25435,7 @@ SELECT collation for ('foo' COLLATE "de_DE");
Cancels the current query of the session whose backend process has the
specified process ID. This is also allowed if the
calling role is a member of the role whose backend is being canceled or
- the calling role has been granted pg_signal_backend,
+ the calling role has privileges of pg_signal_backend,
however only superusers can cancel superuser backends.
@@ -25508,7 +25508,7 @@ SELECT collation for ('foo' COLLATE "de_DE");
Terminates the session whose backend process has the
specified process ID. This is also allowed if the calling role
is a member of the role whose backend is being terminated or the
- calling role has been granted pg_signal_backend,
+ calling role has privileges of pg_signal_backend,
however only superusers can terminate superuser backends.
@@ -26783,7 +26783,7 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
Computes the total disk space used by the database with the specified
name or OID. To use this function, you must
have CONNECT privilege on the specified database
- (which is granted by default) or be a member of
+ (which is granted by default) or have privileges of
the pg_read_all_stats role.
@@ -26913,7 +26913,7 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
Computes the total disk space used in the tablespace with the
specified name or OID. To use this function, you must
have CREATE privilege on the specified tablespace
- or be a member of the pg_read_all_stats role,
+ or have privileges of the pg_read_all_stats role,
unless it is the default tablespace for the current database.
@@ -27392,7 +27392,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size
a dot, directories, and other special files are excluded.
- This function is restricted to superusers and members of
+ This function is restricted to superusers and roles with privileges of
the pg_monitor role by default, but other users can
be granted EXECUTE to run the function.
@@ -27416,7 +27416,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size
are excluded.
- This function is restricted to superusers and members of
+ This function is restricted to superusers and roles with privileges of
the pg_monitor role by default, but other users can
be granted EXECUTE to run the function.
diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml
index 35b2923c5e8..6a6b09dc456 100644
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -280,7 +280,7 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser
(sessions belonging to a role that they are a member of). In rows about
other sessions, many columns will be null. Note, however, that the
existence of a session and its general properties such as its sessions user
- and database are visible to all users. Superusers and members of the
+ and database are visible to all users. Superusers and roles with privileges of
built-in role pg_read_all_stats (see also ) can see all the information about all sessions.
diff --git a/doc/src/sgml/pgbuffercache.sgml b/doc/src/sgml/pgbuffercache.sgml
index e68d159d30f..a06fd3e26de 100644
--- a/doc/src/sgml/pgbuffercache.sgml
+++ b/doc/src/sgml/pgbuffercache.sgml
@@ -24,7 +24,7 @@
- By default, use is restricted to superusers and members of the
+ By default, use is restricted to superusers and roles with privileges of the
pg_monitor role. Access may be granted to others
using GRANT.
diff --git a/doc/src/sgml/pgfreespacemap.sgml b/doc/src/sgml/pgfreespacemap.sgml
index 1f7867d9b9f..3063885c2cb 100644
--- a/doc/src/sgml/pgfreespacemap.sgml
+++ b/doc/src/sgml/pgfreespacemap.sgml
@@ -16,7 +16,7 @@
- By default use is restricted to superusers and members of the
+ By default use is restricted to superusers and roles with privileges of the
pg_stat_scan_tables role. Access may be granted to others
using GRANT.
diff --git a/doc/src/sgml/pgrowlocks.sgml b/doc/src/sgml/pgrowlocks.sgml
index 392d5f1f9a7..2914bf6e6d6 100644
--- a/doc/src/sgml/pgrowlocks.sgml
+++ b/doc/src/sgml/pgrowlocks.sgml
@@ -13,7 +13,7 @@
- By default use is restricted to superusers, members of the
+ By default use is restricted to superusers, roles with privileges of the
pg_stat_scan_tables role, and users with
SELECT permissions on the table.
diff --git a/doc/src/sgml/pgstatstatements.sgml b/doc/src/sgml/pgstatstatements.sgml
index bc9d5bdbe3b..3a7e36bd13c 100644
--- a/doc/src/sgml/pgstatstatements.sgml
+++ b/doc/src/sgml/pgstatstatements.sgml
@@ -384,7 +384,7 @@
- For security reasons, only superusers and members of the
+ For security reasons, only superusers and roles with privileges of the
pg_read_all_stats role are allowed to see the SQL text and
queryid of queries executed by other users.
Other users can see the statistics, however, if the view has been installed
diff --git a/doc/src/sgml/pgvisibility.sgml b/doc/src/sgml/pgvisibility.sgml
index 75336946a61..8090aa5207e 100644
--- a/doc/src/sgml/pgvisibility.sgml
+++ b/doc/src/sgml/pgvisibility.sgml
@@ -140,8 +140,8 @@
- By default, these functions are executable only by superusers and members of the
- pg_stat_scan_tables role, with the exception of
+ By default, these functions are executable only by superusers and roles with privileges
+ of the pg_stat_scan_tables role, with the exception of
pg_truncate_visibility_map(relation regclass) which can only
be executed by superusers.
--
cgit v1.2.3