From 48a257d444a787941ba3da24d65e6cbe31461d0a Mon Sep 17 00:00:00 2001 From: Robert Haas Date: Mon, 19 Sep 2022 14:21:59 -0400 Subject: [PATCH] Make ALTER DEFAULT PRIVILEGES require privileges, not membership. If role A is a direct or indirect member of role B but does not inherit B's privileges (because at least one relevant grant was created WITH INHERIT FALSE) then A should not be permitted to bypass privilege checks that require the privileges of B. For example, A can't change the privileges of objects owned by B, nor can A drop those objects. However, up until now, it's been possible for A to change default privileges for role B. That doesn't seem to be correct, because a non-inherited role grant is only supposed to permit you to assume the identity of the granted role via SET ROLE, and should not otherwise permit you to exercise the privileges of that role. Most places followed that rule, but this case was an exception. This could be construed as a security vulnerability, but it does not seem entirely clear cut, since older branches were fuzzy about the distinction between is_member_of_role() and has_privs_of_role() in a number of other ways as well. Because of this, and because user-visible behavior changes in minor releases are to be avoided whenever possible, no back-patch. Discussion: http://postgr.es/m/CA+TgmobG_YUP06R_PM_2Z7wR0qv_52gQPHD8CYXbJva0cf0E+A@mail.gmail.com --- src/backend/catalog/aclchk.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index b20974bbeb..dc4c1e748d 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -1117,13 +1117,10 @@ ExecAlterDefaultPrivilegesStmt(ParseState *pstate, AlterDefaultPrivilegesStmt *s iacls.roleid = get_rolespec_oid(rolespec, false); - /* - * We insist that calling user be a member of each target role. If - * he has that, he could become that role anyway via SET ROLE, so - * FOR ROLE is just a syntactic convenience and doesn't give any - * special privileges. - */ - check_is_member_of_role(GetUserId(), iacls.roleid); + if (!has_privs_of_role(GetUserId(), iacls.roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to change default privileges"))); SetDefaultACLsInSchemas(&iacls, nspnames); }