From e530be2c5ce77475d56ccf8f4e0c4872b666ad5f Mon Sep 17 00:00:00 2001 From: Robert Haas Date: Tue, 26 Jul 2022 14:10:38 -0400 Subject: [PATCH] Do not allow removal of superuser privileges from bootstrap user. A bootstrap user who is not a superuser will still own many important system objects, such as the pg_catalog schema, that will likely allow that user to regain superuser status. Therefore, allowing the superuser property to be removed from the superuser creates a false perception of security where none exists. Although removing superuser from the bootstrap user is also a bad idea and should be considered unsupported in all released versions, no back-patch, as this is a behavior change. Discussion: http://postgr.es/m/CA+TgmoZirCwArJms_fgvLBFrC6b=HdxmG7iAhv+kt_=NBA7tEw@mail.gmail.com --- src/backend/commands/user.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index 5b24b6dcad..37260edbe4 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -693,7 +693,14 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt) */ if (dissuper) { - new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(boolVal(dissuper->arg)); + bool should_be_super = BoolGetDatum(boolVal(dissuper->arg)); + + if (!should_be_super && roleid == BOOTSTRAP_SUPERUSERID) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied: bootstrap user must be superuser"))); + + new_record[Anum_pg_authid_rolsuper - 1] = should_be_super; new_record_repl[Anum_pg_authid_rolsuper - 1] = true; } -- 2.30.2