2002-08-27 20:57:26 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
|
*
|
|
|
|
|
* Utility routines for SQL dumping
|
2016-03-24 20:55:44 +01:00
|
|
|
*
|
|
|
|
|
* Basically this is stuff that is useful in both pg_dump and pg_dumpall.
|
2003-05-31 00:55:16 +02:00
|
|
|
*
|
2002-08-27 20:57:26 +02:00
|
|
|
*
|
2018-01-03 05:30:12 +01:00
|
|
|
* Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group
|
2002-08-27 20:57:26 +02:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
|
|
|
*
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/bin/pg_dump/dumputils.c
|
2002-08-27 20:57:26 +02:00
|
|
|
*
|
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#include "postgres_fe.h"
|
|
|
|
|
|
|
|
|
|
#include "dumputils.h"
|
2016-03-24 20:55:44 +01:00
|
|
|
#include "fe_utils/string_utils.h"
|
2002-08-27 20:57:26 +02:00
|
|
|
|
|
|
|
|
|
2009-01-22 21:16:10 +01:00
|
|
|
static bool parseAclItem(const char *item, const char *type,
|
|
|
|
|
const char *name, const char *subname, int remoteVersion,
|
|
|
|
|
PQExpBuffer grantee, PQExpBuffer grantor,
|
2003-08-04 02:43:34 +02:00
|
|
|
PQExpBuffer privs, PQExpBuffer privswgo);
|
2003-07-31 19:21:57 +02:00
|
|
|
static char *copyAclUserName(PQExpBuffer output, char *input);
|
2009-01-22 21:16:10 +01:00
|
|
|
static void AddAcl(PQExpBuffer aclbuf, const char *keyword,
|
2009-06-11 16:49:15 +02:00
|
|
|
const char *subname);
|
2004-01-07 01:44:21 +01:00
|
|
|
|
|
|
|
|
|
2003-05-31 00:55:16 +02:00
|
|
|
/*
|
|
|
|
|
* Build GRANT/REVOKE command(s) for an object.
|
|
|
|
|
*
|
|
|
|
|
* name: the object name, in the form to use in the commands (already quoted)
|
2009-01-22 21:16:10 +01:00
|
|
|
* subname: the sub-object name, if any (already quoted); NULL if none
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
* nspname: the namespace the object is in (NULL if none); not pre-quoted
|
2003-05-31 00:55:16 +02:00
|
|
|
* type: the object type (as seen in GRANT command: must be one of
|
2017-11-30 14:46:13 +01:00
|
|
|
* TABLE, SEQUENCE, FUNCTION, PROCEDURE, LANGUAGE, SCHEMA, DATABASE, TABLESPACE,
|
2010-02-18 02:29:10 +01:00
|
|
|
* FOREIGN DATA WRAPPER, SERVER, or LARGE OBJECT)
|
2003-05-31 00:55:16 +02:00
|
|
|
* acls: the ACL string fetched from the database
|
2016-04-07 03:45:32 +02:00
|
|
|
* racls: the ACL string of any initial-but-now-revoked privileges
|
2005-12-03 22:06:18 +01:00
|
|
|
* owner: username of object owner (will be passed through fmtId); can be
|
|
|
|
|
* NULL or empty string to indicate "no owner known"
|
2009-10-05 21:24:49 +02:00
|
|
|
* prefix: string to prefix to each generated command; typically empty
|
2003-05-31 00:55:16 +02:00
|
|
|
* remoteVersion: version of database
|
|
|
|
|
*
|
2017-08-16 06:22:32 +02:00
|
|
|
* Returns true if okay, false if could not parse the acl string.
|
2003-05-31 00:55:16 +02:00
|
|
|
* The resulting commands (if any) are appended to the contents of 'sql'.
|
|
|
|
|
*
|
2009-10-05 21:24:49 +02:00
|
|
|
* Note: when processing a default ACL, prefix is "ALTER DEFAULT PRIVILEGES "
|
|
|
|
|
* or something similar, and name is an empty string.
|
|
|
|
|
*
|
2009-01-22 21:16:10 +01:00
|
|
|
* Note: beware of passing a fmtId() result directly as 'name' or 'subname',
|
|
|
|
|
* since this routine uses fmtId() internally.
|
2003-05-31 00:55:16 +02:00
|
|
|
*/
|
|
|
|
|
bool
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
buildACLCommands(const char *name, const char *subname, const char *nspname,
|
2016-04-07 03:45:32 +02:00
|
|
|
const char *type, const char *acls, const char *racls,
|
|
|
|
|
const char *owner, const char *prefix, int remoteVersion,
|
2003-05-31 00:55:16 +02:00
|
|
|
PQExpBuffer sql)
|
|
|
|
|
{
|
2015-02-12 00:35:23 +01:00
|
|
|
bool ok = true;
|
2016-04-07 03:45:32 +02:00
|
|
|
char **aclitems = NULL;
|
|
|
|
|
char **raclitems = NULL;
|
|
|
|
|
int naclitems = 0;
|
|
|
|
|
int nraclitems = 0;
|
2003-07-31 19:21:57 +02:00
|
|
|
int i;
|
2003-08-04 02:43:34 +02:00
|
|
|
PQExpBuffer grantee,
|
|
|
|
|
grantor,
|
|
|
|
|
privs,
|
|
|
|
|
privswgo;
|
|
|
|
|
PQExpBuffer firstsql,
|
|
|
|
|
secondsql;
|
2003-05-31 00:55:16 +02:00
|
|
|
bool found_owner_privs = false;
|
|
|
|
|
|
2016-04-07 03:45:32 +02:00
|
|
|
if (strlen(acls) == 0 && strlen(racls) == 0)
|
2003-05-31 00:55:16 +02:00
|
|
|
return true; /* object has default permissions */
|
|
|
|
|
|
2005-12-03 22:06:18 +01:00
|
|
|
/* treat empty-string owner same as NULL */
|
|
|
|
|
if (owner && *owner == '\0')
|
|
|
|
|
owner = NULL;
|
|
|
|
|
|
2016-04-07 03:45:32 +02:00
|
|
|
if (strlen(acls) != 0)
|
2003-07-31 19:21:57 +02:00
|
|
|
{
|
2016-04-07 03:45:32 +02:00
|
|
|
if (!parsePGArray(acls, &aclitems, &naclitems))
|
|
|
|
|
{
|
|
|
|
|
if (aclitems)
|
|
|
|
|
free(aclitems);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strlen(racls) != 0)
|
|
|
|
|
{
|
|
|
|
|
if (!parsePGArray(racls, &raclitems, &nraclitems))
|
|
|
|
|
{
|
|
|
|
|
if (raclitems)
|
|
|
|
|
free(raclitems);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2003-07-31 19:21:57 +02:00
|
|
|
}
|
|
|
|
|
|
2003-05-31 00:55:16 +02:00
|
|
|
grantee = createPQExpBuffer();
|
|
|
|
|
grantor = createPQExpBuffer();
|
|
|
|
|
privs = createPQExpBuffer();
|
|
|
|
|
privswgo = createPQExpBuffer();
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2003-07-24 17:52:53 +02:00
|
|
|
/*
|
2016-04-07 03:45:32 +02:00
|
|
|
* At the end, these two will be pasted together to form the result.
|
|
|
|
|
*
|
|
|
|
|
* For older systems we use these to ensure that the owner privileges go
|
|
|
|
|
* before the other ones, as a GRANT could create the default entry for
|
|
|
|
|
* the object, which generally includes all rights for the owner. In more
|
|
|
|
|
* recent versions we normally handle this because the owner rights come
|
|
|
|
|
* first in the ACLs, but older versions might have them after the PUBLIC
|
|
|
|
|
* privileges.
|
|
|
|
|
*
|
|
|
|
|
* For 9.6 and later systems, much of this changes. With 9.6, we check
|
|
|
|
|
* the default privileges for the objects at dump time and create two sets
|
|
|
|
|
* of ACLs- "racls" which are the ACLs to REVOKE from the object (as the
|
|
|
|
|
* object may have initial privileges on it, along with any default ACLs
|
|
|
|
|
* which are not part of the current set of privileges), and regular
|
|
|
|
|
* "acls", which are the ACLs to GRANT to the object. We handle the
|
|
|
|
|
* REVOKEs first, followed by the GRANTs.
|
2003-07-24 17:52:53 +02:00
|
|
|
*/
|
|
|
|
|
firstsql = createPQExpBuffer();
|
|
|
|
|
secondsql = createPQExpBuffer();
|
2003-05-31 00:55:16 +02:00
|
|
|
|
|
|
|
|
/*
|
2016-04-07 03:45:32 +02:00
|
|
|
* For pre-9.6 systems, we always start with REVOKE ALL FROM PUBLIC, as we
|
|
|
|
|
* don't wish to make any assumptions about what the default ACLs are, and
|
|
|
|
|
* we do not collect them during the dump phase (and racls will always be
|
|
|
|
|
* the empty set, see above).
|
|
|
|
|
*
|
|
|
|
|
* For 9.6 and later, if any revoke ACLs have been provided, then include
|
|
|
|
|
* them in 'firstsql'.
|
|
|
|
|
*
|
|
|
|
|
* Revoke ACLs happen when an object starts out life with a set of
|
|
|
|
|
* privileges (eg: GRANT SELECT ON pg_class TO PUBLIC;) and the user has
|
|
|
|
|
* decided to revoke those rights. Since those objects come into being
|
|
|
|
|
* with those default privileges, we have to revoke them to match what the
|
|
|
|
|
* current state of affairs is. Note that we only started explicitly
|
|
|
|
|
* tracking such initial rights in 9.6, and prior to that all initial
|
|
|
|
|
* rights are actually handled by the simple 'REVOKE ALL .. FROM PUBLIC'
|
|
|
|
|
* case, for initdb-created objects. Prior to 9.6, we didn't handle
|
|
|
|
|
* extensions correctly, but we do now by tracking their initial
|
|
|
|
|
* privileges, in the same way we track initdb initial privileges, see
|
|
|
|
|
* pg_init_privs.
|
2003-05-31 00:55:16 +02:00
|
|
|
*/
|
2016-04-07 03:45:32 +02:00
|
|
|
if (remoteVersion < 90600)
|
|
|
|
|
{
|
|
|
|
|
Assert(nraclitems == 0);
|
|
|
|
|
|
|
|
|
|
appendPQExpBuffer(firstsql, "%sREVOKE ALL", prefix);
|
|
|
|
|
if (subname)
|
|
|
|
|
appendPQExpBuffer(firstsql, "(%s)", subname);
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
appendPQExpBuffer(firstsql, " ON %s ", type);
|
|
|
|
|
if (nspname && *nspname)
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s FROM PUBLIC;\n", name);
|
2016-04-07 03:45:32 +02:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* Scan individual REVOKE ACL items */
|
|
|
|
|
for (i = 0; i < nraclitems; i++)
|
|
|
|
|
{
|
|
|
|
|
if (!parseAclItem(raclitems[i], type, name, subname, remoteVersion,
|
|
|
|
|
grantee, grantor, privs, privswgo))
|
|
|
|
|
{
|
|
|
|
|
ok = false;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (privs->len > 0 || privswgo->len > 0)
|
|
|
|
|
{
|
|
|
|
|
if (privs->len > 0)
|
|
|
|
|
{
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
appendPQExpBuffer(firstsql, "%sREVOKE %s ON %s ",
|
|
|
|
|
prefix, privs->data, type);
|
|
|
|
|
if (nspname && *nspname)
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s FROM ", name);
|
2016-04-07 03:45:32 +02:00
|
|
|
if (grantee->len == 0)
|
|
|
|
|
appendPQExpBufferStr(firstsql, "PUBLIC;\n");
|
|
|
|
|
else if (strncmp(grantee->data, "group ",
|
|
|
|
|
strlen("group ")) == 0)
|
|
|
|
|
appendPQExpBuffer(firstsql, "GROUP %s;\n",
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
fmtId(grantee->data + strlen("group ")));
|
2016-04-07 03:45:32 +02:00
|
|
|
else
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s;\n",
|
|
|
|
|
fmtId(grantee->data));
|
|
|
|
|
}
|
|
|
|
|
if (privswgo->len > 0)
|
|
|
|
|
{
|
|
|
|
|
appendPQExpBuffer(firstsql,
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
"%sREVOKE GRANT OPTION FOR %s ON %s ",
|
|
|
|
|
prefix, privswgo->data, type);
|
|
|
|
|
if (nspname && *nspname)
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s FROM ", name);
|
2016-04-07 03:45:32 +02:00
|
|
|
if (grantee->len == 0)
|
|
|
|
|
appendPQExpBufferStr(firstsql, "PUBLIC");
|
|
|
|
|
else if (strncmp(grantee->data, "group ",
|
|
|
|
|
strlen("group ")) == 0)
|
|
|
|
|
appendPQExpBuffer(firstsql, "GROUP %s",
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
fmtId(grantee->data + strlen("group ")));
|
2016-04-07 03:45:32 +02:00
|
|
|
else
|
|
|
|
|
appendPQExpBufferStr(firstsql, fmtId(grantee->data));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
|
2007-01-04 18:49:37 +01:00
|
|
|
/*
|
|
|
|
|
* We still need some hacking though to cover the case where new default
|
|
|
|
|
* public privileges are added in new versions: the REVOKE ALL will revoke
|
|
|
|
|
* them, leading to behavior different from what the old version had,
|
2007-11-15 22:14:46 +01:00
|
|
|
* which is generally not what's wanted. So add back default privs if the
|
|
|
|
|
* source database is too old to have had that particular priv.
|
2007-01-04 18:49:37 +01:00
|
|
|
*/
|
|
|
|
|
if (remoteVersion < 80200 && strcmp(type, "DATABASE") == 0)
|
|
|
|
|
{
|
|
|
|
|
/* database CONNECT priv didn't exist before 8.2 */
|
2009-10-05 21:24:49 +02:00
|
|
|
appendPQExpBuffer(firstsql, "%sGRANT CONNECT ON %s %s TO PUBLIC;\n",
|
|
|
|
|
prefix, type, name);
|
2007-01-04 18:49:37 +01:00
|
|
|
}
|
|
|
|
|
|
2003-07-31 19:21:57 +02:00
|
|
|
/* Scan individual ACL items */
|
|
|
|
|
for (i = 0; i < naclitems; i++)
|
2003-05-31 00:55:16 +02:00
|
|
|
{
|
2009-01-22 21:16:10 +01:00
|
|
|
if (!parseAclItem(aclitems[i], type, name, subname, remoteVersion,
|
2003-05-31 00:55:16 +02:00
|
|
|
grantee, grantor, privs, privswgo))
|
2012-06-03 17:52:52 +02:00
|
|
|
{
|
2015-02-12 00:35:23 +01:00
|
|
|
ok = false;
|
|
|
|
|
break;
|
2012-06-03 17:52:52 +02:00
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
|
|
|
|
|
if (grantor->len == 0 && owner)
|
|
|
|
|
printfPQExpBuffer(grantor, "%s", owner);
|
|
|
|
|
|
|
|
|
|
if (privs->len > 0 || privswgo->len > 0)
|
|
|
|
|
{
|
2016-04-07 03:45:32 +02:00
|
|
|
/*
|
|
|
|
|
* Prior to 9.6, we had to handle owner privileges in a special
|
|
|
|
|
* manner by first REVOKE'ing the rights and then GRANT'ing them
|
|
|
|
|
* after. With 9.6 and above, what we need to REVOKE and what we
|
|
|
|
|
* need to GRANT is figured out when we dump and stashed into
|
2016-06-03 16:13:36 +02:00
|
|
|
* "racls" and "acls", respectively. See above.
|
2016-04-07 03:45:32 +02:00
|
|
|
*/
|
|
|
|
|
if (remoteVersion < 90600 && owner
|
2003-07-24 17:52:53 +02:00
|
|
|
&& strcmp(grantee->data, owner) == 0
|
|
|
|
|
&& strcmp(grantor->data, owner) == 0)
|
2003-05-31 00:55:16 +02:00
|
|
|
{
|
2003-07-24 17:52:53 +02:00
|
|
|
found_owner_privs = true;
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2003-05-31 00:55:16 +02:00
|
|
|
/*
|
2003-08-04 02:43:34 +02:00
|
|
|
* For the owner, the default privilege level is ALL WITH
|
2016-10-12 18:19:56 +02:00
|
|
|
* GRANT OPTION.
|
2003-05-31 00:55:16 +02:00
|
|
|
*/
|
2016-10-12 18:19:56 +02:00
|
|
|
if (strcmp(privswgo->data, "ALL") != 0)
|
2003-05-31 00:55:16 +02:00
|
|
|
{
|
2009-10-05 21:24:49 +02:00
|
|
|
appendPQExpBuffer(firstsql, "%sREVOKE ALL", prefix);
|
2009-01-22 21:16:10 +01:00
|
|
|
if (subname)
|
|
|
|
|
appendPQExpBuffer(firstsql, "(%s)", subname);
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
appendPQExpBuffer(firstsql, " ON %s ", type);
|
|
|
|
|
if (nspname && *nspname)
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s FROM %s;\n",
|
|
|
|
|
name, fmtId(grantee->data));
|
2003-05-31 00:55:16 +02:00
|
|
|
if (privs->len > 0)
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
{
|
2009-01-22 21:16:10 +01:00
|
|
|
appendPQExpBuffer(firstsql,
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
"%sGRANT %s ON %s ",
|
|
|
|
|
prefix, privs->data, type);
|
|
|
|
|
if (nspname && *nspname)
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
|
|
|
|
|
appendPQExpBuffer(firstsql,
|
|
|
|
|
"%s TO %s;\n",
|
|
|
|
|
name, fmtId(grantee->data));
|
|
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
if (privswgo->len > 0)
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
{
|
2009-01-22 21:16:10 +01:00
|
|
|
appendPQExpBuffer(firstsql,
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
"%sGRANT %s ON %s ",
|
|
|
|
|
prefix, privswgo->data, type);
|
|
|
|
|
if (nspname && *nspname)
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
|
|
|
|
|
appendPQExpBuffer(firstsql,
|
|
|
|
|
"%s TO %s WITH GRANT OPTION;\n",
|
|
|
|
|
name, fmtId(grantee->data));
|
|
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/*
|
2016-04-07 03:45:32 +02:00
|
|
|
* For systems prior to 9.6, we can assume we are starting
|
|
|
|
|
* from no privs at this point.
|
|
|
|
|
*
|
|
|
|
|
* For 9.6 and above, at this point we have issued REVOKE
|
|
|
|
|
* statements for all initial and default privileges which are
|
|
|
|
|
* no longer present on the object (as they were passed in as
|
|
|
|
|
* 'racls') and we can simply GRANT the rights which are in
|
|
|
|
|
* 'acls'.
|
2003-05-31 00:55:16 +02:00
|
|
|
*/
|
2003-07-24 17:52:53 +02:00
|
|
|
if (grantor->len > 0
|
|
|
|
|
&& (!owner || strcmp(owner, grantor->data) != 0))
|
|
|
|
|
appendPQExpBuffer(secondsql, "SET SESSION AUTHORIZATION %s;\n",
|
|
|
|
|
fmtId(grantor->data));
|
|
|
|
|
|
2003-05-31 00:55:16 +02:00
|
|
|
if (privs->len > 0)
|
|
|
|
|
{
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
appendPQExpBuffer(secondsql, "%sGRANT %s ON %s ",
|
|
|
|
|
prefix, privs->data, type);
|
|
|
|
|
if (nspname && *nspname)
|
|
|
|
|
appendPQExpBuffer(secondsql, "%s.", fmtId(nspname));
|
|
|
|
|
appendPQExpBuffer(secondsql, "%s TO ", name);
|
2003-05-31 00:55:16 +02:00
|
|
|
if (grantee->len == 0)
|
2013-11-18 17:29:01 +01:00
|
|
|
appendPQExpBufferStr(secondsql, "PUBLIC;\n");
|
2003-05-31 00:55:16 +02:00
|
|
|
else if (strncmp(grantee->data, "group ",
|
|
|
|
|
strlen("group ")) == 0)
|
2003-07-24 17:52:53 +02:00
|
|
|
appendPQExpBuffer(secondsql, "GROUP %s;\n",
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
fmtId(grantee->data + strlen("group ")));
|
2003-05-31 00:55:16 +02:00
|
|
|
else
|
2003-07-24 17:52:53 +02:00
|
|
|
appendPQExpBuffer(secondsql, "%s;\n", fmtId(grantee->data));
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
|
|
|
|
if (privswgo->len > 0)
|
|
|
|
|
{
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
appendPQExpBuffer(secondsql, "%sGRANT %s ON %s ",
|
|
|
|
|
prefix, privswgo->data, type);
|
|
|
|
|
if (nspname && *nspname)
|
|
|
|
|
appendPQExpBuffer(secondsql, "%s.", fmtId(nspname));
|
|
|
|
|
appendPQExpBuffer(secondsql, "%s TO ", name);
|
2003-05-31 00:55:16 +02:00
|
|
|
if (grantee->len == 0)
|
2013-11-18 17:29:01 +01:00
|
|
|
appendPQExpBufferStr(secondsql, "PUBLIC");
|
2003-05-31 00:55:16 +02:00
|
|
|
else if (strncmp(grantee->data, "group ",
|
|
|
|
|
strlen("group ")) == 0)
|
2003-07-24 17:52:53 +02:00
|
|
|
appendPQExpBuffer(secondsql, "GROUP %s",
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
fmtId(grantee->data + strlen("group ")));
|
2003-05-31 00:55:16 +02:00
|
|
|
else
|
2013-11-18 17:29:01 +01:00
|
|
|
appendPQExpBufferStr(secondsql, fmtId(grantee->data));
|
|
|
|
|
appendPQExpBufferStr(secondsql, " WITH GRANT OPTION;\n");
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
2003-07-24 17:52:53 +02:00
|
|
|
|
|
|
|
|
if (grantor->len > 0
|
|
|
|
|
&& (!owner || strcmp(owner, grantor->data) != 0))
|
2013-11-18 17:29:01 +01:00
|
|
|
appendPQExpBufferStr(secondsql, "RESET SESSION AUTHORIZATION;\n");
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2016-04-07 03:45:32 +02:00
|
|
|
* For systems prior to 9.6, if we didn't find any owner privs, the owner
|
|
|
|
|
* must have revoked 'em all.
|
|
|
|
|
*
|
|
|
|
|
* For 9.6 and above, we handle this through the 'racls'. See above.
|
2003-05-31 00:55:16 +02:00
|
|
|
*/
|
2016-04-07 03:45:32 +02:00
|
|
|
if (remoteVersion < 90600 && !found_owner_privs && owner)
|
2009-01-22 21:16:10 +01:00
|
|
|
{
|
2009-10-05 21:24:49 +02:00
|
|
|
appendPQExpBuffer(firstsql, "%sREVOKE ALL", prefix);
|
2009-01-22 21:16:10 +01:00
|
|
|
if (subname)
|
|
|
|
|
appendPQExpBuffer(firstsql, "(%s)", subname);
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
appendPQExpBuffer(firstsql, " ON %s ", type);
|
|
|
|
|
if (nspname && *nspname)
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s.", fmtId(nspname));
|
|
|
|
|
appendPQExpBuffer(firstsql, "%s FROM %s;\n",
|
|
|
|
|
name, fmtId(owner));
|
2009-01-22 21:16:10 +01:00
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
|
|
|
|
|
destroyPQExpBuffer(grantee);
|
|
|
|
|
destroyPQExpBuffer(grantor);
|
|
|
|
|
destroyPQExpBuffer(privs);
|
|
|
|
|
destroyPQExpBuffer(privswgo);
|
|
|
|
|
|
2003-07-24 17:52:53 +02:00
|
|
|
appendPQExpBuffer(sql, "%s%s", firstsql->data, secondsql->data);
|
|
|
|
|
destroyPQExpBuffer(firstsql);
|
|
|
|
|
destroyPQExpBuffer(secondsql);
|
|
|
|
|
|
2016-04-07 03:45:32 +02:00
|
|
|
if (aclitems)
|
|
|
|
|
free(aclitems);
|
|
|
|
|
|
|
|
|
|
if (raclitems)
|
|
|
|
|
free(raclitems);
|
2003-07-31 19:21:57 +02:00
|
|
|
|
2015-02-12 00:35:23 +01:00
|
|
|
return ok;
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
|
|
|
|
|
2009-10-05 21:24:49 +02:00
|
|
|
/*
|
|
|
|
|
* Build ALTER DEFAULT PRIVILEGES command(s) for single pg_default_acl entry.
|
|
|
|
|
*
|
2009-10-13 01:41:45 +02:00
|
|
|
* type: the object type (TABLES, FUNCTIONS, etc)
|
2009-10-05 21:24:49 +02:00
|
|
|
* nspname: schema name, or NULL for global default privileges
|
|
|
|
|
* acls: the ACL string fetched from the database
|
|
|
|
|
* owner: username of privileges owner (will be passed through fmtId)
|
|
|
|
|
* remoteVersion: version of database
|
|
|
|
|
*
|
2017-08-16 06:22:32 +02:00
|
|
|
* Returns true if okay, false if could not parse the acl string.
|
2009-10-05 21:24:49 +02:00
|
|
|
* The resulting commands (if any) are appended to the contents of 'sql'.
|
|
|
|
|
*/
|
|
|
|
|
bool
|
|
|
|
|
buildDefaultACLCommands(const char *type, const char *nspname,
|
2017-01-31 22:24:11 +01:00
|
|
|
const char *acls, const char *racls,
|
|
|
|
|
const char *initacls, const char *initracls,
|
|
|
|
|
const char *owner,
|
2009-10-05 21:24:49 +02:00
|
|
|
int remoteVersion,
|
|
|
|
|
PQExpBuffer sql)
|
|
|
|
|
{
|
|
|
|
|
PQExpBuffer prefix;
|
|
|
|
|
|
|
|
|
|
prefix = createPQExpBuffer();
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We incorporate the target role directly into the command, rather than
|
2014-05-06 18:12:18 +02:00
|
|
|
* playing around with SET ROLE or anything like that. This is so that a
|
2010-02-26 03:01:40 +01:00
|
|
|
* permissions error leads to nothing happening, rather than changing
|
|
|
|
|
* default privileges for the wrong user.
|
2009-10-05 21:24:49 +02:00
|
|
|
*/
|
|
|
|
|
appendPQExpBuffer(prefix, "ALTER DEFAULT PRIVILEGES FOR ROLE %s ",
|
|
|
|
|
fmtId(owner));
|
|
|
|
|
if (nspname)
|
|
|
|
|
appendPQExpBuffer(prefix, "IN SCHEMA %s ", fmtId(nspname));
|
|
|
|
|
|
2017-01-31 22:24:11 +01:00
|
|
|
if (strlen(initacls) != 0 || strlen(initracls) != 0)
|
|
|
|
|
{
|
|
|
|
|
appendPQExpBuffer(sql, "SELECT pg_catalog.binary_upgrade_set_record_init_privs(true);\n");
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
if (!buildACLCommands("", NULL, NULL, type,
|
|
|
|
|
initacls, initracls, owner,
|
2017-01-31 22:24:11 +01:00
|
|
|
prefix->data, remoteVersion, sql))
|
2017-05-07 04:58:12 +02:00
|
|
|
{
|
|
|
|
|
destroyPQExpBuffer(prefix);
|
2017-01-31 22:24:11 +01:00
|
|
|
return false;
|
2017-05-07 04:58:12 +02:00
|
|
|
}
|
2017-01-31 22:24:11 +01:00
|
|
|
appendPQExpBuffer(sql, "SELECT pg_catalog.binary_upgrade_set_record_init_privs(false);\n");
|
|
|
|
|
}
|
|
|
|
|
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
if (!buildACLCommands("", NULL, NULL, type,
|
|
|
|
|
acls, racls, owner,
|
2017-01-31 22:24:11 +01:00
|
|
|
prefix->data, remoteVersion, sql))
|
2017-05-07 04:58:12 +02:00
|
|
|
{
|
|
|
|
|
destroyPQExpBuffer(prefix);
|
2017-01-31 22:24:11 +01:00
|
|
|
return false;
|
2017-05-07 04:58:12 +02:00
|
|
|
}
|
2009-10-05 21:24:49 +02:00
|
|
|
|
|
|
|
|
destroyPQExpBuffer(prefix);
|
|
|
|
|
|
2017-01-31 22:24:11 +01:00
|
|
|
return true;
|
2009-10-05 21:24:49 +02:00
|
|
|
}
|
|
|
|
|
|
2003-05-31 00:55:16 +02:00
|
|
|
/*
|
2003-07-31 19:21:57 +02:00
|
|
|
* This will parse an aclitem string, having the general form
|
|
|
|
|
* username=privilegecodes/grantor
|
|
|
|
|
* or
|
|
|
|
|
* group groupname=privilegecodes/grantor
|
2016-10-12 18:19:56 +02:00
|
|
|
* (the "group" case occurs only with servers before 8.1).
|
|
|
|
|
*
|
|
|
|
|
* Returns true on success, false on parse error. On success, the components
|
|
|
|
|
* of the string are returned in the PQExpBuffer parameters.
|
2003-07-31 19:21:57 +02:00
|
|
|
*
|
|
|
|
|
* The returned grantee string will be the dequoted username or groupname
|
2016-10-12 18:19:56 +02:00
|
|
|
* (preceded with "group " in the latter case). Note that a grant to PUBLIC
|
|
|
|
|
* is represented by an empty grantee string. The returned grantor is the
|
|
|
|
|
* dequoted grantor name. Privilege characters are decoded and split between
|
|
|
|
|
* privileges with grant option (privswgo) and without (privs).
|
2003-05-31 00:55:16 +02:00
|
|
|
*
|
2016-10-12 18:19:56 +02:00
|
|
|
* Note: for cross-version compatibility, it's important to use ALL to
|
|
|
|
|
* represent the privilege sets whenever appropriate.
|
2003-05-31 00:55:16 +02:00
|
|
|
*/
|
|
|
|
|
static bool
|
2009-01-22 21:16:10 +01:00
|
|
|
parseAclItem(const char *item, const char *type,
|
|
|
|
|
const char *name, const char *subname, int remoteVersion,
|
|
|
|
|
PQExpBuffer grantee, PQExpBuffer grantor,
|
2003-05-31 00:55:16 +02:00
|
|
|
PQExpBuffer privs, PQExpBuffer privswgo)
|
|
|
|
|
{
|
|
|
|
|
char *buf;
|
|
|
|
|
bool all_with_go = true;
|
|
|
|
|
bool all_without_go = true;
|
|
|
|
|
char *eqpos;
|
|
|
|
|
char *slpos;
|
|
|
|
|
char *pos;
|
|
|
|
|
|
|
|
|
|
buf = strdup(item);
|
2006-10-10 01:30:33 +02:00
|
|
|
if (!buf)
|
|
|
|
|
return false;
|
2003-05-31 00:55:16 +02:00
|
|
|
|
2003-07-31 19:21:57 +02:00
|
|
|
/* user or group name is string up to = */
|
|
|
|
|
eqpos = copyAclUserName(grantee, buf);
|
|
|
|
|
if (*eqpos != '=')
|
2012-06-03 17:52:52 +02:00
|
|
|
{
|
|
|
|
|
free(buf);
|
2003-05-31 00:55:16 +02:00
|
|
|
return false;
|
2012-06-03 17:52:52 +02:00
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
|
2016-10-12 18:19:56 +02:00
|
|
|
/* grantor should appear after / */
|
2003-05-31 00:55:16 +02:00
|
|
|
slpos = strchr(eqpos + 1, '/');
|
|
|
|
|
if (slpos)
|
|
|
|
|
{
|
2003-07-31 19:21:57 +02:00
|
|
|
*slpos++ = '\0';
|
|
|
|
|
slpos = copyAclUserName(grantor, slpos);
|
|
|
|
|
if (*slpos != '\0')
|
2012-06-03 17:52:52 +02:00
|
|
|
{
|
|
|
|
|
free(buf);
|
2003-07-31 19:21:57 +02:00
|
|
|
return false;
|
2012-06-03 17:52:52 +02:00
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
|
|
|
|
else
|
2016-10-12 18:19:56 +02:00
|
|
|
{
|
|
|
|
|
free(buf);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
|
|
|
|
|
/* privilege codes */
|
|
|
|
|
#define CONVERT_PRIV(code, keywd) \
|
2006-01-21 03:16:21 +01:00
|
|
|
do { \
|
2003-05-31 00:55:16 +02:00
|
|
|
if ((pos = strchr(eqpos + 1, code))) \
|
|
|
|
|
{ \
|
|
|
|
|
if (*(pos + 1) == '*') \
|
|
|
|
|
{ \
|
2009-01-22 21:16:10 +01:00
|
|
|
AddAcl(privswgo, keywd, subname); \
|
2003-05-31 00:55:16 +02:00
|
|
|
all_without_go = false; \
|
|
|
|
|
} \
|
|
|
|
|
else \
|
|
|
|
|
{ \
|
2009-01-22 21:16:10 +01:00
|
|
|
AddAcl(privs, keywd, subname); \
|
2003-05-31 00:55:16 +02:00
|
|
|
all_with_go = false; \
|
|
|
|
|
} \
|
|
|
|
|
} \
|
|
|
|
|
else \
|
2006-01-21 03:16:21 +01:00
|
|
|
all_with_go = all_without_go = false; \
|
|
|
|
|
} while (0)
|
2003-05-31 00:55:16 +02:00
|
|
|
|
|
|
|
|
resetPQExpBuffer(privs);
|
|
|
|
|
resetPQExpBuffer(privswgo);
|
|
|
|
|
|
2009-10-13 01:41:45 +02:00
|
|
|
if (strcmp(type, "TABLE") == 0 || strcmp(type, "SEQUENCE") == 0 ||
|
|
|
|
|
strcmp(type, "TABLES") == 0 || strcmp(type, "SEQUENCES") == 0)
|
2003-05-31 00:55:16 +02:00
|
|
|
{
|
|
|
|
|
CONVERT_PRIV('r', "SELECT");
|
2006-10-04 02:30:14 +02:00
|
|
|
|
2009-10-13 01:41:45 +02:00
|
|
|
if (strcmp(type, "SEQUENCE") == 0 ||
|
|
|
|
|
strcmp(type, "SEQUENCES") == 0)
|
2006-01-21 03:16:21 +01:00
|
|
|
/* sequence only */
|
|
|
|
|
CONVERT_PRIV('U', "USAGE");
|
|
|
|
|
else
|
2003-05-31 00:55:16 +02:00
|
|
|
{
|
2006-01-21 03:16:21 +01:00
|
|
|
/* table only */
|
|
|
|
|
CONVERT_PRIV('a', "INSERT");
|
2016-10-12 18:19:56 +02:00
|
|
|
CONVERT_PRIV('x', "REFERENCES");
|
2009-01-22 21:16:10 +01:00
|
|
|
/* rest are not applicable to columns */
|
|
|
|
|
if (subname == NULL)
|
|
|
|
|
{
|
2016-10-12 18:19:56 +02:00
|
|
|
CONVERT_PRIV('d', "DELETE");
|
|
|
|
|
CONVERT_PRIV('t', "TRIGGER");
|
2009-01-22 21:16:10 +01:00
|
|
|
if (remoteVersion >= 80400)
|
|
|
|
|
CONVERT_PRIV('D', "TRUNCATE");
|
2006-01-21 03:16:21 +01:00
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
2006-01-21 03:16:21 +01:00
|
|
|
|
|
|
|
|
/* UPDATE */
|
2016-10-12 18:19:56 +02:00
|
|
|
CONVERT_PRIV('w', "UPDATE");
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
2009-10-13 01:41:45 +02:00
|
|
|
else if (strcmp(type, "FUNCTION") == 0 ||
|
|
|
|
|
strcmp(type, "FUNCTIONS") == 0)
|
2003-05-31 00:55:16 +02:00
|
|
|
CONVERT_PRIV('X', "EXECUTE");
|
2017-11-30 14:46:13 +01:00
|
|
|
else if (strcmp(type, "PROCEDURE") == 0 ||
|
|
|
|
|
strcmp(type, "PROCEDURES") == 0)
|
|
|
|
|
CONVERT_PRIV('X', "EXECUTE");
|
2003-05-31 00:55:16 +02:00
|
|
|
else if (strcmp(type, "LANGUAGE") == 0)
|
|
|
|
|
CONVERT_PRIV('U', "USAGE");
|
2017-03-28 17:58:55 +02:00
|
|
|
else if (strcmp(type, "SCHEMA") == 0 ||
|
2017-05-17 02:36:35 +02:00
|
|
|
strcmp(type, "SCHEMAS") == 0)
|
2003-05-31 00:55:16 +02:00
|
|
|
{
|
|
|
|
|
CONVERT_PRIV('C', "CREATE");
|
|
|
|
|
CONVERT_PRIV('U', "USAGE");
|
|
|
|
|
}
|
|
|
|
|
else if (strcmp(type, "DATABASE") == 0)
|
|
|
|
|
{
|
|
|
|
|
CONVERT_PRIV('C', "CREATE");
|
2006-04-30 23:15:33 +02:00
|
|
|
CONVERT_PRIV('c', "CONNECT");
|
2003-05-31 00:55:16 +02:00
|
|
|
CONVERT_PRIV('T', "TEMPORARY");
|
|
|
|
|
}
|
2004-06-18 08:14:31 +02:00
|
|
|
else if (strcmp(type, "TABLESPACE") == 0)
|
|
|
|
|
CONVERT_PRIV('C', "CREATE");
|
2012-12-09 06:08:23 +01:00
|
|
|
else if (strcmp(type, "TYPE") == 0 ||
|
|
|
|
|
strcmp(type, "TYPES") == 0)
|
|
|
|
|
CONVERT_PRIV('U', "USAGE");
|
2008-12-19 17:25:19 +01:00
|
|
|
else if (strcmp(type, "FOREIGN DATA WRAPPER") == 0)
|
|
|
|
|
CONVERT_PRIV('U', "USAGE");
|
2010-03-03 21:10:48 +01:00
|
|
|
else if (strcmp(type, "FOREIGN SERVER") == 0)
|
2008-12-19 17:25:19 +01:00
|
|
|
CONVERT_PRIV('U', "USAGE");
|
2011-01-02 05:48:11 +01:00
|
|
|
else if (strcmp(type, "FOREIGN TABLE") == 0)
|
|
|
|
|
CONVERT_PRIV('r', "SELECT");
|
2009-12-11 04:34:57 +01:00
|
|
|
else if (strcmp(type, "LARGE OBJECT") == 0)
|
|
|
|
|
{
|
|
|
|
|
CONVERT_PRIV('r', "SELECT");
|
|
|
|
|
CONVERT_PRIV('w', "UPDATE");
|
|
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
else
|
|
|
|
|
abort();
|
|
|
|
|
|
|
|
|
|
#undef CONVERT_PRIV
|
|
|
|
|
|
|
|
|
|
if (all_with_go)
|
|
|
|
|
{
|
|
|
|
|
resetPQExpBuffer(privs);
|
|
|
|
|
printfPQExpBuffer(privswgo, "ALL");
|
2009-01-22 21:16:10 +01:00
|
|
|
if (subname)
|
|
|
|
|
appendPQExpBuffer(privswgo, "(%s)", subname);
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
|
|
|
|
else if (all_without_go)
|
|
|
|
|
{
|
|
|
|
|
resetPQExpBuffer(privswgo);
|
|
|
|
|
printfPQExpBuffer(privs, "ALL");
|
2009-01-22 21:16:10 +01:00
|
|
|
if (subname)
|
|
|
|
|
appendPQExpBuffer(privs, "(%s)", subname);
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free(buf);
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2003-07-31 19:21:57 +02:00
|
|
|
/*
|
|
|
|
|
* Transfer a user or group name starting at *input into the output buffer,
|
|
|
|
|
* dequoting if needed. Returns a pointer to just past the input name.
|
|
|
|
|
* The name is taken to end at an unquoted '=' or end of string.
|
|
|
|
|
*/
|
|
|
|
|
static char *
|
|
|
|
|
copyAclUserName(PQExpBuffer output, char *input)
|
|
|
|
|
{
|
|
|
|
|
resetPQExpBuffer(output);
|
2003-08-14 16:19:11 +02:00
|
|
|
|
2003-07-31 19:21:57 +02:00
|
|
|
while (*input && *input != '=')
|
|
|
|
|
{
|
2004-08-29 07:07:03 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* If user name isn't quoted, then just add it to the output buffer
|
2004-08-29 07:07:03 +02:00
|
|
|
*/
|
2003-07-31 19:21:57 +02:00
|
|
|
if (*input != '"')
|
|
|
|
|
appendPQExpBufferChar(output, *input++);
|
|
|
|
|
else
|
|
|
|
|
{
|
2004-06-18 08:14:31 +02:00
|
|
|
/* Otherwise, it's a quoted username */
|
2003-07-31 19:21:57 +02:00
|
|
|
input++;
|
2003-08-14 16:19:11 +02:00
|
|
|
/* Loop until we come across an unescaped quote */
|
|
|
|
|
while (!(*input == '"' && *(input + 1) != '"'))
|
2003-07-31 19:21:57 +02:00
|
|
|
{
|
|
|
|
|
if (*input == '\0')
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
return input; /* really a syntax error... */
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2003-07-31 19:21:57 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Quoting convention is to escape " as "". Keep this code in
|
|
|
|
|
* sync with putid() in backend's acl.c.
|
2003-07-31 19:21:57 +02:00
|
|
|
*/
|
2003-08-14 16:19:11 +02:00
|
|
|
if (*input == '"' && *(input + 1) == '"')
|
|
|
|
|
input++;
|
2003-07-31 19:21:57 +02:00
|
|
|
appendPQExpBufferChar(output, *input++);
|
|
|
|
|
}
|
|
|
|
|
input++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return input;
|
|
|
|
|
}
|
2003-05-31 00:55:16 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Append a privilege keyword to a keyword list, inserting comma if needed.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2009-01-22 21:16:10 +01:00
|
|
|
AddAcl(PQExpBuffer aclbuf, const char *keyword, const char *subname)
|
2003-05-31 00:55:16 +02:00
|
|
|
{
|
|
|
|
|
if (aclbuf->len > 0)
|
|
|
|
|
appendPQExpBufferChar(aclbuf, ',');
|
2013-11-18 17:29:01 +01:00
|
|
|
appendPQExpBufferStr(aclbuf, keyword);
|
2009-01-22 21:16:10 +01:00
|
|
|
if (subname)
|
|
|
|
|
appendPQExpBuffer(aclbuf, "(%s)", subname);
|
2003-05-31 00:55:16 +02:00
|
|
|
}
|
2006-10-10 01:30:33 +02:00
|
|
|
|
|
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/*
|
|
|
|
|
* buildShSecLabelQuery
|
|
|
|
|
*
|
|
|
|
|
* Build a query to retrieve security labels for a shared object.
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
* The object is identified by its OID plus the name of the catalog
|
|
|
|
|
* it can be found in (e.g., "pg_database" for database names).
|
|
|
|
|
* The query is appended to "sql". (We don't execute it here so as to
|
|
|
|
|
* keep this file free of assumptions about how to deal with SQL errors.)
|
2011-07-20 19:18:24 +02:00
|
|
|
*/
|
|
|
|
|
void
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
buildShSecLabelQuery(PGconn *conn, const char *catalog_name, Oid objectId,
|
2011-07-20 19:18:24 +02:00
|
|
|
PQExpBuffer sql)
|
|
|
|
|
{
|
|
|
|
|
appendPQExpBuffer(sql,
|
|
|
|
|
"SELECT provider, label FROM pg_catalog.pg_shseclabel "
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
"WHERE classoid = 'pg_catalog.%s'::pg_catalog.regclass "
|
|
|
|
|
"AND objoid = '%u'", catalog_name, objectId);
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* emitShSecLabels
|
|
|
|
|
*
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
* Construct SECURITY LABEL commands using the data retrieved by the query
|
|
|
|
|
* generated by buildShSecLabelQuery, and append them to "buffer".
|
|
|
|
|
* Here, the target object is identified by its type name (e.g. "DATABASE")
|
|
|
|
|
* and its name (not pre-quoted).
|
2011-07-20 19:18:24 +02:00
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
emitShSecLabels(PGconn *conn, PGresult *res, PQExpBuffer buffer,
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
const char *objtype, const char *objname)
|
2011-07-20 19:18:24 +02:00
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < PQntuples(res); i++)
|
2012-06-10 21:20:04 +02:00
|
|
|
{
|
|
|
|
|
char *provider = PQgetvalue(res, i, 0);
|
|
|
|
|
char *label = PQgetvalue(res, i, 1);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
/* must use fmtId result before calling it again */
|
|
|
|
|
appendPQExpBuffer(buffer,
|
|
|
|
|
"SECURITY LABEL FOR %s ON %s",
|
Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when
dumping an object in schema "foo", and has also caused that setting
to be used while restoring the object. This is problematic because
functions and operators in schema "foo" could capture references meant
to refer to pg_catalog entries, both in the queries issued by pg_dump
and those issued during the subsequent restore run. That could
result in dump/restore misbehavior, or in privilege escalation if a
nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what
was used at dump time, and then leaves it alone thereafter. Created
objects are placed in the correct schema, regardless of the active
search_path, by dint of schema-qualifying their names in the CREATE
commands, as well as in subsequent ALTER and ALTER-like commands.
Since this change requires a change in the behavior of pg_restore
when processing an archive file made according to this new convention,
bump the archive file version number; old versions of pg_restore will
therefore refuse to process files made with new versions of pg_dump.
Security: CVE-2018-1058
2018-02-26 16:18:21 +01:00
|
|
|
fmtId(provider), objtype);
|
2011-07-20 19:18:24 +02:00
|
|
|
appendPQExpBuffer(buffer,
|
|
|
|
|
" %s IS ",
|
|
|
|
|
fmtId(objname));
|
|
|
|
|
appendStringLiteralConn(buffer, label, conn);
|
2013-11-18 17:29:01 +01:00
|
|
|
appendPQExpBufferStr(buffer, ";\n");
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
|
|
|
|
}
|
2016-04-07 03:45:32 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* buildACLQueries
|
|
|
|
|
*
|
|
|
|
|
* Build the subqueries to extract out the correct set of ACLs to be
|
|
|
|
|
* GRANT'd and REVOKE'd for the specific kind of object, accounting for any
|
|
|
|
|
* initial privileges (from pg_init_privs) and based on if we are in binary
|
|
|
|
|
* upgrade mode or not.
|
|
|
|
|
*
|
|
|
|
|
* Also builds subqueries to extract out the set of ACLs to go from the object
|
|
|
|
|
* default privileges to the privileges in pg_init_privs, if we are in binary
|
|
|
|
|
* upgrade mode, so that those privileges can be set up and recorded in the new
|
|
|
|
|
* cluster before the regular privileges are added on top of those.
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
buildACLQueries(PQExpBuffer acl_subquery, PQExpBuffer racl_subquery,
|
|
|
|
|
PQExpBuffer init_acl_subquery, PQExpBuffer init_racl_subquery,
|
|
|
|
|
const char *acl_column, const char *acl_owner,
|
|
|
|
|
const char *obj_kind, bool binary_upgrade)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* To get the delta from what the permissions were at creation time
|
|
|
|
|
* (either initdb or CREATE EXTENSION) vs. what they are now, we have to
|
|
|
|
|
* look at two things:
|
|
|
|
|
*
|
|
|
|
|
* What privileges have been added, which we calculate by extracting all
|
|
|
|
|
* the current privileges (using the set of default privileges for the
|
|
|
|
|
* object type if current privileges are NULL) and then removing those
|
|
|
|
|
* which existed at creation time (again, using the set of default
|
|
|
|
|
* privileges for the object type if there were no creation time
|
|
|
|
|
* privileges).
|
|
|
|
|
*
|
|
|
|
|
* What privileges have been removed, which we calculate by extracting the
|
|
|
|
|
* privileges as they were at creation time (or the default privileges, as
|
|
|
|
|
* above), and then removing the current privileges (or the default
|
|
|
|
|
* privileges, if current privileges are NULL).
|
|
|
|
|
*
|
|
|
|
|
* As a good cross-check, both directions of these checks should result in
|
|
|
|
|
* the empty set if both the current ACL and the initial privs are NULL
|
|
|
|
|
* (meaning, in practice, that the default ACLs were there at init time
|
|
|
|
|
* and is what the current privileges are).
|
|
|
|
|
*
|
|
|
|
|
* We always perform this delta on all ACLs and expect that by the time
|
2016-06-10 00:02:36 +02:00
|
|
|
* these are run the initial privileges will be in place, even in a binary
|
|
|
|
|
* upgrade situation (see below).
|
2017-09-14 02:02:09 +02:00
|
|
|
*
|
|
|
|
|
* Finally, the order in which privileges are in the ACL string (the order
|
|
|
|
|
* they been GRANT'd in, which the backend maintains) must be preserved to
|
|
|
|
|
* ensure that GRANTs WITH GRANT OPTION and subsequent GRANTs based on
|
|
|
|
|
* those are dumped in the correct order.
|
2016-04-07 03:45:32 +02:00
|
|
|
*/
|
2017-09-14 02:02:09 +02:00
|
|
|
printfPQExpBuffer(acl_subquery,
|
|
|
|
|
"(SELECT pg_catalog.array_agg(acl ORDER BY row_n) FROM "
|
|
|
|
|
"(SELECT acl, row_n FROM "
|
|
|
|
|
"pg_catalog.unnest(coalesce(%s,pg_catalog.acldefault(%s,%s))) "
|
|
|
|
|
"WITH ORDINALITY AS perm(acl,row_n) "
|
|
|
|
|
"WHERE NOT EXISTS ( "
|
|
|
|
|
"SELECT 1 FROM "
|
|
|
|
|
"pg_catalog.unnest(coalesce(pip.initprivs,pg_catalog.acldefault(%s,%s))) "
|
|
|
|
|
"AS init(init_acl) WHERE acl = init_acl)) as foo)",
|
2016-04-07 03:45:32 +02:00
|
|
|
acl_column,
|
|
|
|
|
obj_kind,
|
|
|
|
|
acl_owner,
|
|
|
|
|
obj_kind,
|
|
|
|
|
acl_owner);
|
|
|
|
|
|
2017-09-14 02:02:09 +02:00
|
|
|
printfPQExpBuffer(racl_subquery,
|
|
|
|
|
"(SELECT pg_catalog.array_agg(acl ORDER BY row_n) FROM "
|
|
|
|
|
"(SELECT acl, row_n FROM "
|
|
|
|
|
"pg_catalog.unnest(coalesce(pip.initprivs,pg_catalog.acldefault(%s,%s))) "
|
|
|
|
|
"WITH ORDINALITY AS initp(acl,row_n) "
|
|
|
|
|
"WHERE NOT EXISTS ( "
|
|
|
|
|
"SELECT 1 FROM "
|
|
|
|
|
"pg_catalog.unnest(coalesce(%s,pg_catalog.acldefault(%s,%s))) "
|
|
|
|
|
"AS permp(orig_acl) WHERE acl = orig_acl)) as foo)",
|
2016-04-07 03:45:32 +02:00
|
|
|
obj_kind,
|
|
|
|
|
acl_owner,
|
|
|
|
|
acl_column,
|
|
|
|
|
obj_kind,
|
|
|
|
|
acl_owner);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* In binary upgrade mode we don't run the extension script but instead
|
|
|
|
|
* dump out the objects independently and then recreate them. To preserve
|
|
|
|
|
* the initial privileges which were set on extension objects, we need to
|
|
|
|
|
* grab the set of GRANT and REVOKE commands necessary to get from the
|
|
|
|
|
* default privileges of an object to the initial privileges as recorded
|
|
|
|
|
* in pg_init_privs.
|
|
|
|
|
*
|
|
|
|
|
* These will then be run ahead of the regular ACL commands, which were
|
|
|
|
|
* calculated using the queries above, inside of a block which sets a flag
|
|
|
|
|
* to indicate that the backend should record the results of these GRANT
|
|
|
|
|
* and REVOKE statements into pg_init_privs. This is how we preserve the
|
|
|
|
|
* contents of that catalog across binary upgrades.
|
|
|
|
|
*/
|
|
|
|
|
if (binary_upgrade)
|
|
|
|
|
{
|
|
|
|
|
printfPQExpBuffer(init_acl_subquery,
|
|
|
|
|
"CASE WHEN privtype = 'e' THEN "
|
2017-09-14 02:02:09 +02:00
|
|
|
"(SELECT pg_catalog.array_agg(acl ORDER BY row_n) FROM "
|
|
|
|
|
"(SELECT acl, row_n FROM pg_catalog.unnest(pip.initprivs) "
|
|
|
|
|
"WITH ORDINALITY AS initp(acl,row_n) "
|
|
|
|
|
"WHERE NOT EXISTS ( "
|
|
|
|
|
"SELECT 1 FROM "
|
|
|
|
|
"pg_catalog.unnest(pg_catalog.acldefault(%s,%s)) "
|
|
|
|
|
"AS privm(orig_acl) WHERE acl = orig_acl)) as foo) END",
|
2016-04-07 03:45:32 +02:00
|
|
|
obj_kind,
|
|
|
|
|
acl_owner);
|
|
|
|
|
|
|
|
|
|
printfPQExpBuffer(init_racl_subquery,
|
|
|
|
|
"CASE WHEN privtype = 'e' THEN "
|
2016-05-25 02:10:16 +02:00
|
|
|
"(SELECT pg_catalog.array_agg(acl) FROM "
|
2017-09-14 02:02:09 +02:00
|
|
|
"(SELECT acl, row_n FROM "
|
|
|
|
|
"pg_catalog.unnest(pg_catalog.acldefault(%s,%s)) "
|
|
|
|
|
"WITH ORDINALITY AS privp(acl,row_n) "
|
|
|
|
|
"WHERE NOT EXISTS ( "
|
|
|
|
|
"SELECT 1 FROM pg_catalog.unnest(pip.initprivs) "
|
|
|
|
|
"AS initp(init_acl) WHERE acl = init_acl)) as foo) END",
|
2016-04-07 03:45:32 +02:00
|
|
|
obj_kind,
|
|
|
|
|
acl_owner);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
printfPQExpBuffer(init_acl_subquery, "NULL");
|
|
|
|
|
printfPQExpBuffer(init_racl_subquery, "NULL");
|
|
|
|
|
}
|
|
|
|
|
}
|
Move handling of database properties from pg_dumpall into pg_dump.
This patch rearranges the division of labor between pg_dump and pg_dumpall
so that pg_dump itself handles all properties attached to a single
database. Notably, a database's ACL (GRANT/REVOKE status) and local GUC
settings established by ALTER DATABASE SET and ALTER ROLE IN DATABASE SET
can be dumped and restored by pg_dump. This is a long-requested
improvement.
"pg_dumpall -g" will now produce only role- and tablespace-related output,
nothing about individual databases. The total output of a regular
pg_dumpall run remains the same.
pg_dump (or pg_restore) will restore database-level properties only when
creating the target database with --create. This applies not only to
ACLs and GUCs but to the other database properties it already handled,
that is database comments and security labels. This is more consistent
and useful, but does represent an incompatibility in the behavior seen
without --create.
(This change makes the proposed patch to have pg_dump use "COMMENT ON
DATABASE CURRENT_DATABASE" unnecessary, since there is no case where
the command is issued that we won't know the true name of the database.
We might still want that patch as a feature in its own right, but pg_dump
no longer needs it.)
pg_dumpall with --clean will now drop and recreate the "postgres" and
"template1" databases in the target cluster, allowing their locale and
encoding settings to be changed if necessary, and providing a cleaner
way to set nondefault tablespaces for them than we had before. This
means that such a script must now always be started in the "postgres"
database; the order of drops and reconnects will not work otherwise.
Without --clean, the script will not adjust any database-level properties
of those two databases (including their comments, ACLs, and security
labels, which it formerly would try to set).
Another minor incompatibility is that the CREATE DATABASE commands in a
pg_dumpall script will now always specify locale and encoding settings.
Formerly those would be omitted if they matched the cluster's default.
While that behavior had some usefulness in some migration scenarios,
it also posed a significant hazard of unwanted locale/encoding changes.
To migrate to another locale/encoding, it's now necessary to use pg_dump
without --create to restore into a database with the desired settings.
Commit 4bd371f6f's hack to emit "SET default_transaction_read_only = off"
is gone: we now dodge that problem by the expedient of not issuing ALTER
DATABASE SET commands until after reconnecting to the target database.
Therefore, such settings won't apply during the restore session.
In passing, improve some shaky grammar in the docs, and add a note pointing
out that pg_dumpall's output can't be expected to load without any errors.
(Someday we might want to fix that, but this is not that patch.)
Haribabu Kommi, reviewed at various times by Andreas Karlsson,
Vaishnavi Prabakaran, and Robert Haas; further hacking by me.
Discussion: https://postgr.es/m/CAJrrPGcUurV0eWTeXODwsOYFN=Ekq36t1s0YnFYUNzsmRfdAyA@mail.gmail.com
2018-01-22 20:09:09 +01:00
|
|
|
|
Fix mishandling of quoted-list GUC values in pg_dump and ruleutils.c.
Code that prints out the contents of setconfig or proconfig arrays in
SQL format needs to handle GUC_LIST_QUOTE variables differently from
other ones, because for those variables, flatten_set_variable_args()
already applied a layer of quoting. The value can therefore safely
be printed as-is, and indeed must be, or flatten_set_variable_args()
will muck it up completely on reload. For all other GUC variables,
it's necessary and sufficient to quote the value as a SQL literal.
We'd recognized the need for this long ago, but mis-analyzed the
need slightly, thinking that all GUC_LIST_INPUT variables needed
the special treatment. That's actually wrong, since a valid value
of a LIST variable might include characters that need quoting,
although no existing variables accept such values.
More to the point, we hadn't made any particular effort to keep the
various places that deal with this up-to-date with the set of variables
that actually need special treatment, meaning that we'd do the wrong
thing with, for example, temp_tablespaces values. This affects dumping
of SET clauses attached to functions, as well as ALTER DATABASE/ROLE SET
commands.
In ruleutils.c we can fix it reasonably honestly by exporting a guc.c
function that allows discovering the flags for a given GUC variable.
But pg_dump doesn't have easy access to that, so continue the old method
of having a hard-wired list of affected variable names. At least we can
fix it to have just one list not two, and update the list to match
current reality.
A remaining problem with this is that it only works for built-in
GUC variables. pg_dump's list obvious knows nothing of third-party
extensions, and even the "ask guc.c" method isn't bulletproof since
the relevant extension might not be loaded. There's no obvious
solution to that, so for now, we'll just have to discourage extension
authors from inventing custom GUCs that need GUC_LIST_QUOTE.
This has been busted for a long time, so back-patch to all supported
branches.
Michael Paquier and Tom Lane, reviewed by Kyotaro Horiguchi and
Pavel Stehule
Discussion: https://postgr.es/m/20180111064900.GA51030@paquier.xyz
2018-03-22 01:03:28 +01:00
|
|
|
/*
|
|
|
|
|
* Detect whether the given GUC variable is of GUC_LIST_QUOTE type.
|
|
|
|
|
*
|
|
|
|
|
* It'd be better if we could inquire this directly from the backend; but even
|
|
|
|
|
* if there were a function for that, it could only tell us about variables
|
|
|
|
|
* currently known to guc.c, so that it'd be unsafe for extensions to declare
|
|
|
|
|
* GUC_LIST_QUOTE variables anyway. Lacking a solution for that, it doesn't
|
|
|
|
|
* seem worth the work to do more than have this list, which must be kept in
|
|
|
|
|
* sync with the variables actually marked GUC_LIST_QUOTE in guc.c.
|
|
|
|
|
*/
|
|
|
|
|
bool
|
|
|
|
|
variable_is_guc_list_quote(const char *name)
|
|
|
|
|
{
|
|
|
|
|
if (pg_strcasecmp(name, "temp_tablespaces") == 0 ||
|
|
|
|
|
pg_strcasecmp(name, "session_preload_libraries") == 0 ||
|
|
|
|
|
pg_strcasecmp(name, "shared_preload_libraries") == 0 ||
|
|
|
|
|
pg_strcasecmp(name, "local_preload_libraries") == 0 ||
|
|
|
|
|
pg_strcasecmp(name, "search_path") == 0)
|
|
|
|
|
return true;
|
|
|
|
|
else
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
Move handling of database properties from pg_dumpall into pg_dump.
This patch rearranges the division of labor between pg_dump and pg_dumpall
so that pg_dump itself handles all properties attached to a single
database. Notably, a database's ACL (GRANT/REVOKE status) and local GUC
settings established by ALTER DATABASE SET and ALTER ROLE IN DATABASE SET
can be dumped and restored by pg_dump. This is a long-requested
improvement.
"pg_dumpall -g" will now produce only role- and tablespace-related output,
nothing about individual databases. The total output of a regular
pg_dumpall run remains the same.
pg_dump (or pg_restore) will restore database-level properties only when
creating the target database with --create. This applies not only to
ACLs and GUCs but to the other database properties it already handled,
that is database comments and security labels. This is more consistent
and useful, but does represent an incompatibility in the behavior seen
without --create.
(This change makes the proposed patch to have pg_dump use "COMMENT ON
DATABASE CURRENT_DATABASE" unnecessary, since there is no case where
the command is issued that we won't know the true name of the database.
We might still want that patch as a feature in its own right, but pg_dump
no longer needs it.)
pg_dumpall with --clean will now drop and recreate the "postgres" and
"template1" databases in the target cluster, allowing their locale and
encoding settings to be changed if necessary, and providing a cleaner
way to set nondefault tablespaces for them than we had before. This
means that such a script must now always be started in the "postgres"
database; the order of drops and reconnects will not work otherwise.
Without --clean, the script will not adjust any database-level properties
of those two databases (including their comments, ACLs, and security
labels, which it formerly would try to set).
Another minor incompatibility is that the CREATE DATABASE commands in a
pg_dumpall script will now always specify locale and encoding settings.
Formerly those would be omitted if they matched the cluster's default.
While that behavior had some usefulness in some migration scenarios,
it also posed a significant hazard of unwanted locale/encoding changes.
To migrate to another locale/encoding, it's now necessary to use pg_dump
without --create to restore into a database with the desired settings.
Commit 4bd371f6f's hack to emit "SET default_transaction_read_only = off"
is gone: we now dodge that problem by the expedient of not issuing ALTER
DATABASE SET commands until after reconnecting to the target database.
Therefore, such settings won't apply during the restore session.
In passing, improve some shaky grammar in the docs, and add a note pointing
out that pg_dumpall's output can't be expected to load without any errors.
(Someday we might want to fix that, but this is not that patch.)
Haribabu Kommi, reviewed at various times by Andreas Karlsson,
Vaishnavi Prabakaran, and Robert Haas; further hacking by me.
Discussion: https://postgr.es/m/CAJrrPGcUurV0eWTeXODwsOYFN=Ekq36t1s0YnFYUNzsmRfdAyA@mail.gmail.com
2018-01-22 20:09:09 +01:00
|
|
|
/*
|
|
|
|
|
* Helper function for dumping "ALTER DATABASE/ROLE SET ..." commands.
|
|
|
|
|
*
|
|
|
|
|
* Parse the contents of configitem (a "name=value" string), wrap it in
|
|
|
|
|
* a complete ALTER command, and append it to buf.
|
|
|
|
|
*
|
|
|
|
|
* type is DATABASE or ROLE, and name is the name of the database or role.
|
|
|
|
|
* If we need an "IN" clause, type2 and name2 similarly define what to put
|
|
|
|
|
* there; otherwise they should be NULL.
|
|
|
|
|
* conn is used only to determine string-literal quoting conventions.
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
makeAlterConfigCommand(PGconn *conn, const char *configitem,
|
|
|
|
|
const char *type, const char *name,
|
|
|
|
|
const char *type2, const char *name2,
|
|
|
|
|
PQExpBuffer buf)
|
|
|
|
|
{
|
|
|
|
|
char *mine;
|
|
|
|
|
char *pos;
|
|
|
|
|
|
|
|
|
|
/* Parse the configitem. If we can't find an "=", silently do nothing. */
|
|
|
|
|
mine = pg_strdup(configitem);
|
|
|
|
|
pos = strchr(mine, '=');
|
|
|
|
|
if (pos == NULL)
|
|
|
|
|
{
|
|
|
|
|
pg_free(mine);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
*pos++ = '\0';
|
|
|
|
|
|
|
|
|
|
/* Build the command, with suitable quoting for everything. */
|
|
|
|
|
appendPQExpBuffer(buf, "ALTER %s %s ", type, fmtId(name));
|
|
|
|
|
if (type2 != NULL && name2 != NULL)
|
|
|
|
|
appendPQExpBuffer(buf, "IN %s %s ", type2, fmtId(name2));
|
|
|
|
|
appendPQExpBuffer(buf, "SET %s TO ", fmtId(mine));
|
|
|
|
|
|
|
|
|
|
/*
|
Fix mishandling of quoted-list GUC values in pg_dump and ruleutils.c.
Code that prints out the contents of setconfig or proconfig arrays in
SQL format needs to handle GUC_LIST_QUOTE variables differently from
other ones, because for those variables, flatten_set_variable_args()
already applied a layer of quoting. The value can therefore safely
be printed as-is, and indeed must be, or flatten_set_variable_args()
will muck it up completely on reload. For all other GUC variables,
it's necessary and sufficient to quote the value as a SQL literal.
We'd recognized the need for this long ago, but mis-analyzed the
need slightly, thinking that all GUC_LIST_INPUT variables needed
the special treatment. That's actually wrong, since a valid value
of a LIST variable might include characters that need quoting,
although no existing variables accept such values.
More to the point, we hadn't made any particular effort to keep the
various places that deal with this up-to-date with the set of variables
that actually need special treatment, meaning that we'd do the wrong
thing with, for example, temp_tablespaces values. This affects dumping
of SET clauses attached to functions, as well as ALTER DATABASE/ROLE SET
commands.
In ruleutils.c we can fix it reasonably honestly by exporting a guc.c
function that allows discovering the flags for a given GUC variable.
But pg_dump doesn't have easy access to that, so continue the old method
of having a hard-wired list of affected variable names. At least we can
fix it to have just one list not two, and update the list to match
current reality.
A remaining problem with this is that it only works for built-in
GUC variables. pg_dump's list obvious knows nothing of third-party
extensions, and even the "ask guc.c" method isn't bulletproof since
the relevant extension might not be loaded. There's no obvious
solution to that, so for now, we'll just have to discourage extension
authors from inventing custom GUCs that need GUC_LIST_QUOTE.
This has been busted for a long time, so back-patch to all supported
branches.
Michael Paquier and Tom Lane, reviewed by Kyotaro Horiguchi and
Pavel Stehule
Discussion: https://postgr.es/m/20180111064900.GA51030@paquier.xyz
2018-03-22 01:03:28 +01:00
|
|
|
* Variables that are marked GUC_LIST_QUOTE were already fully quoted by
|
|
|
|
|
* flatten_set_variable_args() before they were put into the setconfig
|
|
|
|
|
* array; we mustn't re-quote them or we'll make a mess. Variables that
|
|
|
|
|
* are not so marked should just be emitted as simple string literals. If
|
|
|
|
|
* the variable is not known to variable_is_guc_list_quote(), we'll do the
|
|
|
|
|
* latter; this makes it unsafe to use GUC_LIST_QUOTE for extension
|
|
|
|
|
* variables.
|
Move handling of database properties from pg_dumpall into pg_dump.
This patch rearranges the division of labor between pg_dump and pg_dumpall
so that pg_dump itself handles all properties attached to a single
database. Notably, a database's ACL (GRANT/REVOKE status) and local GUC
settings established by ALTER DATABASE SET and ALTER ROLE IN DATABASE SET
can be dumped and restored by pg_dump. This is a long-requested
improvement.
"pg_dumpall -g" will now produce only role- and tablespace-related output,
nothing about individual databases. The total output of a regular
pg_dumpall run remains the same.
pg_dump (or pg_restore) will restore database-level properties only when
creating the target database with --create. This applies not only to
ACLs and GUCs but to the other database properties it already handled,
that is database comments and security labels. This is more consistent
and useful, but does represent an incompatibility in the behavior seen
without --create.
(This change makes the proposed patch to have pg_dump use "COMMENT ON
DATABASE CURRENT_DATABASE" unnecessary, since there is no case where
the command is issued that we won't know the true name of the database.
We might still want that patch as a feature in its own right, but pg_dump
no longer needs it.)
pg_dumpall with --clean will now drop and recreate the "postgres" and
"template1" databases in the target cluster, allowing their locale and
encoding settings to be changed if necessary, and providing a cleaner
way to set nondefault tablespaces for them than we had before. This
means that such a script must now always be started in the "postgres"
database; the order of drops and reconnects will not work otherwise.
Without --clean, the script will not adjust any database-level properties
of those two databases (including their comments, ACLs, and security
labels, which it formerly would try to set).
Another minor incompatibility is that the CREATE DATABASE commands in a
pg_dumpall script will now always specify locale and encoding settings.
Formerly those would be omitted if they matched the cluster's default.
While that behavior had some usefulness in some migration scenarios,
it also posed a significant hazard of unwanted locale/encoding changes.
To migrate to another locale/encoding, it's now necessary to use pg_dump
without --create to restore into a database with the desired settings.
Commit 4bd371f6f's hack to emit "SET default_transaction_read_only = off"
is gone: we now dodge that problem by the expedient of not issuing ALTER
DATABASE SET commands until after reconnecting to the target database.
Therefore, such settings won't apply during the restore session.
In passing, improve some shaky grammar in the docs, and add a note pointing
out that pg_dumpall's output can't be expected to load without any errors.
(Someday we might want to fix that, but this is not that patch.)
Haribabu Kommi, reviewed at various times by Andreas Karlsson,
Vaishnavi Prabakaran, and Robert Haas; further hacking by me.
Discussion: https://postgr.es/m/CAJrrPGcUurV0eWTeXODwsOYFN=Ekq36t1s0YnFYUNzsmRfdAyA@mail.gmail.com
2018-01-22 20:09:09 +01:00
|
|
|
*/
|
Fix mishandling of quoted-list GUC values in pg_dump and ruleutils.c.
Code that prints out the contents of setconfig or proconfig arrays in
SQL format needs to handle GUC_LIST_QUOTE variables differently from
other ones, because for those variables, flatten_set_variable_args()
already applied a layer of quoting. The value can therefore safely
be printed as-is, and indeed must be, or flatten_set_variable_args()
will muck it up completely on reload. For all other GUC variables,
it's necessary and sufficient to quote the value as a SQL literal.
We'd recognized the need for this long ago, but mis-analyzed the
need slightly, thinking that all GUC_LIST_INPUT variables needed
the special treatment. That's actually wrong, since a valid value
of a LIST variable might include characters that need quoting,
although no existing variables accept such values.
More to the point, we hadn't made any particular effort to keep the
various places that deal with this up-to-date with the set of variables
that actually need special treatment, meaning that we'd do the wrong
thing with, for example, temp_tablespaces values. This affects dumping
of SET clauses attached to functions, as well as ALTER DATABASE/ROLE SET
commands.
In ruleutils.c we can fix it reasonably honestly by exporting a guc.c
function that allows discovering the flags for a given GUC variable.
But pg_dump doesn't have easy access to that, so continue the old method
of having a hard-wired list of affected variable names. At least we can
fix it to have just one list not two, and update the list to match
current reality.
A remaining problem with this is that it only works for built-in
GUC variables. pg_dump's list obvious knows nothing of third-party
extensions, and even the "ask guc.c" method isn't bulletproof since
the relevant extension might not be loaded. There's no obvious
solution to that, so for now, we'll just have to discourage extension
authors from inventing custom GUCs that need GUC_LIST_QUOTE.
This has been busted for a long time, so back-patch to all supported
branches.
Michael Paquier and Tom Lane, reviewed by Kyotaro Horiguchi and
Pavel Stehule
Discussion: https://postgr.es/m/20180111064900.GA51030@paquier.xyz
2018-03-22 01:03:28 +01:00
|
|
|
if (variable_is_guc_list_quote(mine))
|
Move handling of database properties from pg_dumpall into pg_dump.
This patch rearranges the division of labor between pg_dump and pg_dumpall
so that pg_dump itself handles all properties attached to a single
database. Notably, a database's ACL (GRANT/REVOKE status) and local GUC
settings established by ALTER DATABASE SET and ALTER ROLE IN DATABASE SET
can be dumped and restored by pg_dump. This is a long-requested
improvement.
"pg_dumpall -g" will now produce only role- and tablespace-related output,
nothing about individual databases. The total output of a regular
pg_dumpall run remains the same.
pg_dump (or pg_restore) will restore database-level properties only when
creating the target database with --create. This applies not only to
ACLs and GUCs but to the other database properties it already handled,
that is database comments and security labels. This is more consistent
and useful, but does represent an incompatibility in the behavior seen
without --create.
(This change makes the proposed patch to have pg_dump use "COMMENT ON
DATABASE CURRENT_DATABASE" unnecessary, since there is no case where
the command is issued that we won't know the true name of the database.
We might still want that patch as a feature in its own right, but pg_dump
no longer needs it.)
pg_dumpall with --clean will now drop and recreate the "postgres" and
"template1" databases in the target cluster, allowing their locale and
encoding settings to be changed if necessary, and providing a cleaner
way to set nondefault tablespaces for them than we had before. This
means that such a script must now always be started in the "postgres"
database; the order of drops and reconnects will not work otherwise.
Without --clean, the script will not adjust any database-level properties
of those two databases (including their comments, ACLs, and security
labels, which it formerly would try to set).
Another minor incompatibility is that the CREATE DATABASE commands in a
pg_dumpall script will now always specify locale and encoding settings.
Formerly those would be omitted if they matched the cluster's default.
While that behavior had some usefulness in some migration scenarios,
it also posed a significant hazard of unwanted locale/encoding changes.
To migrate to another locale/encoding, it's now necessary to use pg_dump
without --create to restore into a database with the desired settings.
Commit 4bd371f6f's hack to emit "SET default_transaction_read_only = off"
is gone: we now dodge that problem by the expedient of not issuing ALTER
DATABASE SET commands until after reconnecting to the target database.
Therefore, such settings won't apply during the restore session.
In passing, improve some shaky grammar in the docs, and add a note pointing
out that pg_dumpall's output can't be expected to load without any errors.
(Someday we might want to fix that, but this is not that patch.)
Haribabu Kommi, reviewed at various times by Andreas Karlsson,
Vaishnavi Prabakaran, and Robert Haas; further hacking by me.
Discussion: https://postgr.es/m/CAJrrPGcUurV0eWTeXODwsOYFN=Ekq36t1s0YnFYUNzsmRfdAyA@mail.gmail.com
2018-01-22 20:09:09 +01:00
|
|
|
appendPQExpBufferStr(buf, pos);
|
|
|
|
|
else
|
|
|
|
|
appendStringLiteralConn(buf, pos, conn);
|
|
|
|
|
|
|
|
|
|
appendPQExpBufferStr(buf, ";\n");
|
|
|
|
|
|
|
|
|
|
pg_free(mine);
|
|
|
|
|
}
|
