From 6198420ad8a72e37f4fe4964616b17e0fd33b808 Mon Sep 17 00:00:00 2001 From: Joe Conway Date: Mon, 28 Mar 2022 15:10:04 -0400 Subject: [PATCH] Use has_privs_for_roles for predefined role checks Generally if a role is granted membership to another role with NOINHERIT they must use SET ROLE to access the privileges of that role, however with predefined roles the membership and privilege is conflated. Fix that by replacing is_member_of_role with has_privs_for_role for predefined roles. Patch does not remove is_member_of_role from acl.h, but it does add a warning not to use that function for privilege checking. Not backpatched based on hackers list discussion. Author: Joshua Brindle Reviewed-by: Stephen Frost, Nathan Bossart, Joe Conway Discussion: https://postgr.es/m/flat/CAGB+Vh4Zv_TvKt2tv3QNS6tUM_F_9icmuj0zjywwcgVi4PAhFA@mail.gmail.com --- contrib/adminpack/adminpack.c | 2 +- contrib/file_fdw/expected/file_fdw.out | 2 +- contrib/file_fdw/file_fdw.c | 8 ++++---- .../pg_stat_statements/pg_stat_statements.c | 4 ++-- contrib/pgrowlocks/pgrowlocks.c | 2 +- doc/src/sgml/adminpack.sgml | 6 +++--- doc/src/sgml/catalogs.sgml | 12 +++++------ doc/src/sgml/func.sgml | 12 +++++------ doc/src/sgml/monitoring.sgml | 2 +- doc/src/sgml/pgbuffercache.sgml | 2 +- doc/src/sgml/pgfreespacemap.sgml | 2 +- doc/src/sgml/pgrowlocks.sgml | 2 +- doc/src/sgml/pgstatstatements.sgml | 2 +- doc/src/sgml/pgvisibility.sgml | 4 ++-- src/backend/commands/copy.c | 12 +++++------ src/backend/replication/walreceiver.c | 8 ++++---- src/backend/replication/walsender.c | 8 ++++---- src/backend/utils/adt/acl.c | 4 ++++ src/backend/utils/adt/dbsize.c | 8 ++++---- src/backend/utils/adt/genfile.c | 6 +++--- src/backend/utils/adt/pgstatfuncs.c | 2 +- src/backend/utils/misc/guc.c | 20 +++++++++---------- .../unsafe_tests/expected/rolenames.out | 2 +- 23 files changed, 68 insertions(+), 64 deletions(-) diff --git a/contrib/adminpack/adminpack.c b/contrib/adminpack/adminpack.c index d7d84d096f..03addf1dc5 100644 --- a/contrib/adminpack/adminpack.c +++ b/contrib/adminpack/adminpack.c @@ -79,7 +79,7 @@ convert_and_check_filename(text *arg) * files on the server as the PG user, so no need to do any further checks * here. */ - if (is_member_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES)) + if (has_privs_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES)) return filename; /* diff --git a/contrib/file_fdw/expected/file_fdw.out b/contrib/file_fdw/expected/file_fdw.out index 0ac6e4e0d7..14acdb27e5 100644 --- a/contrib/file_fdw/expected/file_fdw.out +++ b/contrib/file_fdw/expected/file_fdw.out @@ -459,7 +459,7 @@ ALTER FOREIGN TABLE agg_text OWNER TO regress_file_fdw_user; ALTER FOREIGN TABLE agg_text OPTIONS (SET format 'text'); SET ROLE regress_file_fdw_user; ALTER FOREIGN TABLE agg_text OPTIONS (SET format 'text'); -ERROR: only superuser or a member of the pg_read_server_files role may specify the filename option of a file_fdw foreign table +ERROR: only superuser or a role with privileges of the pg_read_server_files role may specify the filename option of a file_fdw foreign table SET ROLE regress_file_fdw_superuser; -- cleanup RESET ROLE; diff --git a/contrib/file_fdw/file_fdw.c b/contrib/file_fdw/file_fdw.c index db08593d97..4773cadec0 100644 --- a/contrib/file_fdw/file_fdw.c +++ b/contrib/file_fdw/file_fdw.c @@ -269,16 +269,16 @@ file_fdw_validator(PG_FUNCTION_ARGS) * otherwise there'd still be a security hole. */ if (strcmp(def->defname, "filename") == 0 && - !is_member_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES)) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("only superuser or a member of the pg_read_server_files role may specify the filename option of a file_fdw foreign table"))); + errmsg("only superuser or a role with privileges of the pg_read_server_files role may specify the filename option of a file_fdw foreign table"))); if (strcmp(def->defname, "program") == 0 && - !is_member_of_role(GetUserId(), ROLE_PG_EXECUTE_SERVER_PROGRAM)) + !has_privs_of_role(GetUserId(), ROLE_PG_EXECUTE_SERVER_PROGRAM)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("only superuser or a member of the pg_execute_server_program role may specify the program option of a file_fdw foreign table"))); + errmsg("only superuser or a role with privileges of the pg_execute_server_program role may specify the program option of a file_fdw foreign table"))); filename = defGetString(def); } diff --git a/contrib/pg_stat_statements/pg_stat_statements.c b/contrib/pg_stat_statements/pg_stat_statements.c index 9e525a6ad3..55786ae84f 100644 --- a/contrib/pg_stat_statements/pg_stat_statements.c +++ b/contrib/pg_stat_statements/pg_stat_statements.c @@ -1503,8 +1503,8 @@ pg_stat_statements_internal(FunctionCallInfo fcinfo, HASH_SEQ_STATUS hash_seq; pgssEntry *entry; - /* Superusers or members of pg_read_all_stats members are allowed */ - is_allowed_role = is_member_of_role(userid, ROLE_PG_READ_ALL_STATS); + /* Superusers or roles with the privileges of pg_read_all_stats members are allowed */ + is_allowed_role = has_privs_of_role(userid, ROLE_PG_READ_ALL_STATS); /* hash table must exist already */ if (!pgss || !pgss_hash) diff --git a/contrib/pgrowlocks/pgrowlocks.c b/contrib/pgrowlocks/pgrowlocks.c index 713a165203..1d4d4965ac 100644 --- a/contrib/pgrowlocks/pgrowlocks.c +++ b/contrib/pgrowlocks/pgrowlocks.c @@ -104,7 +104,7 @@ pgrowlocks(PG_FUNCTION_ARGS) aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), ACL_SELECT); if (aclresult != ACLCHECK_OK) - aclresult = is_member_of_role(GetUserId(), ROLE_PG_STAT_SCAN_TABLES) ? ACLCHECK_OK : ACLCHECK_NO_PRIV; + aclresult = has_privs_of_role(GetUserId(), ROLE_PG_STAT_SCAN_TABLES) ? ACLCHECK_OK : ACLCHECK_NO_PRIV; if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, get_relkind_objtype(rel->rd_rel->relkind), diff --git a/doc/src/sgml/adminpack.sgml b/doc/src/sgml/adminpack.sgml index 0dd89be353..5702456cd2 100644 --- a/doc/src/sgml/adminpack.sgml +++ b/doc/src/sgml/adminpack.sgml @@ -22,9 +22,9 @@ functions in , which provide read-only access.) Only files within the database cluster directory can be accessed, unless the - user is a superuser or given one of the pg_read_server_files, or pg_write_server_files - roles, as appropriate for the function, but either a relative or absolute path is - allowable. + user is a superuser or given privileges of one of the pg_read_server_files, + or pg_write_server_files roles, as appropriate for the function, but either a + relative or absolute path is allowable. diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml index 94f01e4099..23e06b81a4 100644 --- a/doc/src/sgml/catalogs.sgml +++ b/doc/src/sgml/catalogs.sgml @@ -10044,8 +10044,8 @@ SCRAM-SHA-256$<iteration count>:&l By default, the pg_backend_memory_contexts view can be - read only by superusers or members of the pg_read_all_stats - role. + read only by superusers or roles with the privileges of the + pg_read_all_stats role. @@ -12552,7 +12552,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx Configuration file the current value was set in (null for values set from sources other than configuration files, or when - examined by a user who is neither a superuser or a member of + examined by a user who neither is a superuser nor has privileges of pg_read_all_settings); helpful when using include directives in configuration files @@ -12565,7 +12565,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx Line number within the configuration file the current value was set at (null for values set from sources other than configuration files, - or when examined by a user who is neither a superuser or a member of + or when examined by a user who neither is a superuser nor has privileges of pg_read_all_settings). @@ -12941,8 +12941,8 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx By default, the pg_shmem_allocations view can be - read only by superusers or members of the pg_read_all_stats - role. + read only by superusers or roles with privileges of the + pg_read_all_stats role. diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml index 8a802fb225..3a9d62b408 100644 --- a/doc/src/sgml/func.sgml +++ b/doc/src/sgml/func.sgml @@ -25435,7 +25435,7 @@ SELECT collation for ('foo' COLLATE "de_DE"); Cancels the current query of the session whose backend process has the specified process ID. This is also allowed if the calling role is a member of the role whose backend is being canceled or - the calling role has been granted pg_signal_backend, + the calling role has privileges of pg_signal_backend, however only superusers can cancel superuser backends. @@ -25508,7 +25508,7 @@ SELECT collation for ('foo' COLLATE "de_DE"); Terminates the session whose backend process has the specified process ID. This is also allowed if the calling role is a member of the role whose backend is being terminated or the - calling role has been granted pg_signal_backend, + calling role has privileges of pg_signal_backend, however only superusers can terminate superuser backends. @@ -26783,7 +26783,7 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup()); Computes the total disk space used by the database with the specified name or OID. To use this function, you must have CONNECT privilege on the specified database - (which is granted by default) or be a member of + (which is granted by default) or have privileges of the pg_read_all_stats role. @@ -26913,7 +26913,7 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup()); Computes the total disk space used in the tablespace with the specified name or OID. To use this function, you must have CREATE privilege on the specified tablespace - or be a member of the pg_read_all_stats role, + or have privileges of the pg_read_all_stats role, unless it is the default tablespace for the current database. @@ -27392,7 +27392,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size a dot, directories, and other special files are excluded. - This function is restricted to superusers and members of + This function is restricted to superusers and roles with privileges of the pg_monitor role by default, but other users can be granted EXECUTE to run the function. @@ -27416,7 +27416,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size are excluded. - This function is restricted to superusers and members of + This function is restricted to superusers and roles with privileges of the pg_monitor role by default, but other users can be granted EXECUTE to run the function. diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml index 35b2923c5e..6a6b09dc45 100644 --- a/doc/src/sgml/monitoring.sgml +++ b/doc/src/sgml/monitoring.sgml @@ -280,7 +280,7 @@ postgres 27093 0.0 0.0 30096 2752 ? Ss 11:34 0:00 postgres: ser (sessions belonging to a role that they are a member of). In rows about other sessions, many columns will be null. Note, however, that the existence of a session and its general properties such as its sessions user - and database are visible to all users. Superusers and members of the + and database are visible to all users. Superusers and roles with privileges of built-in role pg_read_all_stats (see also ) can see all the information about all sessions. diff --git a/doc/src/sgml/pgbuffercache.sgml b/doc/src/sgml/pgbuffercache.sgml index e68d159d30..a06fd3e26d 100644 --- a/doc/src/sgml/pgbuffercache.sgml +++ b/doc/src/sgml/pgbuffercache.sgml @@ -24,7 +24,7 @@ - By default, use is restricted to superusers and members of the + By default, use is restricted to superusers and roles with privileges of the pg_monitor role. Access may be granted to others using GRANT. diff --git a/doc/src/sgml/pgfreespacemap.sgml b/doc/src/sgml/pgfreespacemap.sgml index 1f7867d9b9..3063885c2c 100644 --- a/doc/src/sgml/pgfreespacemap.sgml +++ b/doc/src/sgml/pgfreespacemap.sgml @@ -16,7 +16,7 @@ - By default use is restricted to superusers and members of the + By default use is restricted to superusers and roles with privileges of the pg_stat_scan_tables role. Access may be granted to others using GRANT. diff --git a/doc/src/sgml/pgrowlocks.sgml b/doc/src/sgml/pgrowlocks.sgml index 392d5f1f9a..2914bf6e6d 100644 --- a/doc/src/sgml/pgrowlocks.sgml +++ b/doc/src/sgml/pgrowlocks.sgml @@ -13,7 +13,7 @@ - By default use is restricted to superusers, members of the + By default use is restricted to superusers, roles with privileges of the pg_stat_scan_tables role, and users with SELECT permissions on the table. diff --git a/doc/src/sgml/pgstatstatements.sgml b/doc/src/sgml/pgstatstatements.sgml index bc9d5bdbe3..3a7e36bd13 100644 --- a/doc/src/sgml/pgstatstatements.sgml +++ b/doc/src/sgml/pgstatstatements.sgml @@ -384,7 +384,7 @@
- For security reasons, only superusers and members of the + For security reasons, only superusers and roles with privileges of the pg_read_all_stats role are allowed to see the SQL text and queryid of queries executed by other users. Other users can see the statistics, however, if the view has been installed diff --git a/doc/src/sgml/pgvisibility.sgml b/doc/src/sgml/pgvisibility.sgml index 75336946a6..8090aa5207 100644 --- a/doc/src/sgml/pgvisibility.sgml +++ b/doc/src/sgml/pgvisibility.sgml @@ -140,8 +140,8 @@ - By default, these functions are executable only by superusers and members of the - pg_stat_scan_tables role, with the exception of + By default, these functions are executable only by superusers and roles with privileges + of the pg_stat_scan_tables role, with the exception of pg_truncate_visibility_map(relation regclass) which can only be executed by superusers. diff --git a/src/backend/commands/copy.c b/src/backend/commands/copy.c index 7da7105d44..7a0c897cc9 100644 --- a/src/backend/commands/copy.c +++ b/src/backend/commands/copy.c @@ -80,26 +80,26 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt, { if (stmt->is_program) { - if (!is_member_of_role(GetUserId(), ROLE_PG_EXECUTE_SERVER_PROGRAM)) + if (!has_privs_of_role(GetUserId(), ROLE_PG_EXECUTE_SERVER_PROGRAM)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("must be superuser or a member of the pg_execute_server_program role to COPY to or from an external program"), + errmsg("must be superuser or have privileges of the pg_execute_server_program role to COPY to or from an external program"), errhint("Anyone can COPY to stdout or from stdin. " "psql's \\copy command also works for anyone."))); } else { - if (is_from && !is_member_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES)) + if (is_from && !has_privs_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("must be superuser or a member of the pg_read_server_files role to COPY from a file"), + errmsg("must be superuser or have privileges of the pg_read_server_files role to COPY from a file"), errhint("Anyone can COPY to stdout or from stdin. " "psql's \\copy command also works for anyone."))); - if (!is_from && !is_member_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES)) + if (!is_from && !has_privs_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("must be superuser or a member of the pg_write_server_files role to COPY to a file"), + errmsg("must be superuser or have privileges of the pg_write_server_files role to COPY to a file"), errhint("Anyone can COPY to stdout or from stdin. " "psql's \\copy command also works for anyone."))); } diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c index ceaff097b9..3c9411e221 100644 --- a/src/backend/replication/walreceiver.c +++ b/src/backend/replication/walreceiver.c @@ -1403,12 +1403,12 @@ pg_stat_get_wal_receiver(PG_FUNCTION_ARGS) /* Fetch values */ values[0] = Int32GetDatum(pid); - if (!is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) + if (!has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { /* - * Only superusers and members of pg_read_all_stats can see details. - * Other users only get the pid value to know whether it is a WAL - * receiver, but no details. + * Only superusers and roles with privileges of pg_read_all_stats + * can see details. Other users only get the pid value to know whether + * it is a WAL receiver, but no details. */ MemSet(&nulls[1], true, sizeof(bool) * (tupdesc->natts - 1)); } diff --git a/src/backend/replication/walsender.c b/src/backend/replication/walsender.c index 2d0292a092..cffb3482ad 100644 --- a/src/backend/replication/walsender.c +++ b/src/backend/replication/walsender.c @@ -3473,12 +3473,12 @@ pg_stat_get_wal_senders(PG_FUNCTION_ARGS) memset(nulls, 0, sizeof(nulls)); values[0] = Int32GetDatum(pid); - if (!is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) + if (!has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { /* - * Only superusers and members of pg_read_all_stats can see - * details. Other users only get the pid value to know it's a - * walsender, but no details. + * Only superusers and roles with privileges of pg_read_all_stats + * can see details. Other users only get the pid value to know + * it's a walsender, but no details. */ MemSet(&nulls[1], true, PG_STAT_GET_WAL_SENDERS_COLS - 1); } diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index 5d939de3da..83cf7ac9ff 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -4859,6 +4859,8 @@ has_privs_of_role(Oid member, Oid role) * Is member a member of role (directly or indirectly)? * * This is defined to recurse through roles regardless of rolinherit. + * + * Do not use this for privilege checking, instead use has_privs_of_role() */ bool is_member_of_role(Oid member, Oid role) @@ -4899,6 +4901,8 @@ check_is_member_of_role(Oid member, Oid role) * * This is identical to is_member_of_role except we ignore superuser * status. + * + * Do not use this for privilege checking, instead use has_privs_of_role() */ bool is_member_of_role_nosuper(Oid member, Oid role) diff --git a/src/backend/utils/adt/dbsize.c b/src/backend/utils/adt/dbsize.c index 3a2f2e1f99..0576764ac4 100644 --- a/src/backend/utils/adt/dbsize.c +++ b/src/backend/utils/adt/dbsize.c @@ -112,12 +112,12 @@ calculate_database_size(Oid dbOid) AclResult aclresult; /* - * User must have connect privilege for target database or be a member of + * User must have connect privilege for target database or have privileges of * pg_read_all_stats */ aclresult = pg_database_aclcheck(dbOid, GetUserId(), ACL_CONNECT); if (aclresult != ACLCHECK_OK && - !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { aclcheck_error(aclresult, OBJECT_DATABASE, get_database_name(dbOid)); @@ -196,12 +196,12 @@ calculate_tablespace_size(Oid tblspcOid) AclResult aclresult; /* - * User must be a member of pg_read_all_stats or have CREATE privilege for + * User must have privileges of pg_read_all_stats or have CREATE privilege for * target tablespace, either explicitly granted or implicitly because it * is default for current database. */ if (tblspcOid != MyDatabaseTableSpace && - !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { aclresult = pg_tablespace_aclcheck(tblspcOid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) diff --git a/src/backend/utils/adt/genfile.c b/src/backend/utils/adt/genfile.c index 1ed01620a1..88f279d1b3 100644 --- a/src/backend/utils/adt/genfile.c +++ b/src/backend/utils/adt/genfile.c @@ -59,11 +59,11 @@ convert_and_check_filename(text *arg) canonicalize_path(filename); /* filename can change length here */ /* - * Members of the 'pg_read_server_files' role are allowed to access any - * files on the server as the PG user, so no need to do any further checks + * Roles with privleges of the 'pg_read_server_files' role are allowed to access + * any files on the server as the PG user, so no need to do any further checks * here. */ - if (is_member_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES)) + if (has_privs_of_role(GetUserId(), ROLE_PG_READ_SERVER_FILES)) return filename; /* diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c index eff45b16f2..ce84525d40 100644 --- a/src/backend/utils/adt/pgstatfuncs.c +++ b/src/backend/utils/adt/pgstatfuncs.c @@ -34,7 +34,7 @@ #define UINT32_ACCESS_ONCE(var) ((uint32)(*((volatile uint32 *)&(var)))) -#define HAS_PGSTAT_PERMISSIONS(role) (is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS) || has_privs_of_role(GetUserId(), role)) +#define HAS_PGSTAT_PERMISSIONS(role) (has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS) || has_privs_of_role(GetUserId(), role)) Datum pg_stat_get_numscans(PG_FUNCTION_ARGS) diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index b86137dc38..eb3a03b976 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -8228,10 +8228,10 @@ GetConfigOption(const char *name, bool missing_ok, bool restrict_privileged) return NULL; if (restrict_privileged && (record->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"", + errmsg("must be superuser or have privileges of pg_read_all_settings to examine \"%s\"", name))); switch (record->vartype) @@ -8275,10 +8275,10 @@ GetConfigOptionResetString(const char *name) record = find_option(name, false, false, ERROR); Assert(record != NULL); if ((record->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"", + errmsg("must be superuser or have privileges of pg_read_all_settings to examine \"%s\"", name))); switch (record->vartype) @@ -9566,7 +9566,7 @@ ShowAllGUCConfig(DestReceiver *dest) if ((conf->flags & GUC_NO_SHOW_ALL) || ((conf->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))) continue; /* assign to the values array */ @@ -9633,7 +9633,7 @@ get_explain_guc_options(int *num) /* return only options visible to the current user */ if ((conf->flags & GUC_NO_SHOW_ALL) || ((conf->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))) continue; /* return only options that are different from their boot values */ @@ -9715,10 +9715,10 @@ GetConfigOptionByName(const char *name, const char **varname, bool missing_ok) } if ((record->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("must be superuser or a member of pg_read_all_settings to examine \"%s\"", + errmsg("must be superuser or have privileges of pg_read_all_settings to examine \"%s\"", name))); if (varname) @@ -9785,7 +9785,7 @@ GetConfigOptionByNum(int varnum, const char **values, bool *noshow) { if ((conf->flags & GUC_NO_SHOW_ALL) || ((conf->flags & GUC_SUPERUSER_ONLY) && - !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS))) *noshow = true; else *noshow = false; @@ -9980,7 +9980,7 @@ GetConfigOptionByNum(int varnum, const char **values, bool *noshow) * insufficiently-privileged users. */ if (conf->source == PGC_S_FILE && - is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) + has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_SETTINGS)) { values[14] = conf->sourcefile; snprintf(buffer, sizeof(buffer), "%d", conf->sourceline); diff --git a/src/test/modules/unsafe_tests/expected/rolenames.out b/src/test/modules/unsafe_tests/expected/rolenames.out index eb608fdc2e..88b1ff843b 100644 --- a/src/test/modules/unsafe_tests/expected/rolenames.out +++ b/src/test/modules/unsafe_tests/expected/rolenames.out @@ -1077,7 +1077,7 @@ SHOW session_preload_libraries; SET SESSION AUTHORIZATION regress_role_nopriv; -- fails with role not member of pg_read_all_settings SHOW session_preload_libraries; -ERROR: must be superuser or a member of pg_read_all_settings to examine "session_preload_libraries" +ERROR: must be superuser or have privileges of pg_read_all_settings to examine "session_preload_libraries" RESET SESSION AUTHORIZATION; ERROR: current transaction is aborted, commands ignored until end of transaction block ROLLBACK;