Fix the problem of GRANTs creating "dangling" privileges not directly

traceable to grant options. As per my earlier proposal, a GRANT made by a role member has to be recorded as being granted by the role that actually holds the grant option, and not the member.
2005-10-10 18:49:04 +00:00 · 2005-10-10 18:49:04 +00:00 · 9178306151
parent d7527540f2
commit 9178306151
3 changed files with 415 additions and 236 deletions
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.118 2005/08/17 19:45:51 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.119 2005/10/10 18:49:01 tgl Exp $
 *
 * NOTES
 *	  See acl.h.
@ -70,32 +70,6 @@ dumpacl(Acl *acl)
 #endif   /* ACLDEBUG */
 /*
 * Determine the effective grantor ID for a GRANT or REVOKE operation.
 *
 * Ordinarily this is just the current user, but when a superuser does
 * GRANT or REVOKE, we pretend he is the object owner.	This ensures that
 * all granted privileges appear to flow from the object owner, and there
 * are never multiple "original sources" of a privilege.
 */
 static Oid
 select_grantor(Oid ownerId)
 {
 	Oid		grantorId;
 	grantorId = GetUserId();
 	/* fast path if no difference */
 	if (grantorId == ownerId)
 		return grantorId;
 	if (superuser())
 		grantorId = ownerId;
 	return grantorId;
 }
 /*
 * If is_grant is true, adds the given privileges for the list of
 * grantees to the existing old_acl.  If is_grant is false, the
@ -243,7 +217,7 @@ ExecuteGrantStmt_Relation(GrantStmt *stmt)
 		Form_pg_class pg_class_tuple;
 		Datum		aclDatum;
 		bool		isNull;
-		AclMode		my_goptions;
+		AclMode		avail_goptions;
 		AclMode		this_privileges;
 		Acl		   *old_acl;
 		Acl		   *new_acl;
@ -282,28 +256,36 @@ ExecuteGrantStmt_Relation(GrantStmt *stmt)
 					 errmsg("\"%s\" is a composite type",
 							relvar->relname)));
 		/*
 		 * Get owner ID and working copy of existing ACL.
 		 * If there's no ACL, substitute the proper default.
 		 */
 		ownerId = pg_class_tuple->relowner;
-		grantorId = select_grantor(ownerId);
+		aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
 								   &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_RELATION, ownerId);
 		else
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/* Determine ID to do the grant as, and available grant options */
 		select_best_grantor(GetUserId(), privileges,
 							old_acl, ownerId,
 							&grantorId, &avail_goptions);
 		/*
-		 * Must be owner or have some privilege on the object (per spec,
+		 * If we found no grant options, consider whether to issue a hard
-		 * any privilege will get you by here).  The owner is always
+		 * error.  Per spec, having any privilege at all on the object
-		 * treated as having all grant options.
+		 * will get you by here.
 		 */
-		if (pg_class_ownercheck(relOid, GetUserId()))
+		if (avail_goptions == ACL_NO_RIGHTS)
 			my_goptions = ACL_ALL_RIGHTS_RELATION;
 		else
 		{
-			AclMode		my_rights;
+			if (pg_class_aclmask(relOid,
-
+								 grantorId,
-			my_rights = pg_class_aclmask(relOid,
+								 ACL_ALL_RIGHTS_RELATION | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_RELATION),
-										 GetUserId(),
+								 ACLMASK_ANY) == ACL_NO_RIGHTS)
 										 ACL_ALL_RIGHTS_RELATION | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_RELATION),
 										 ACLMASK_ALL);
 			if (my_rights == ACL_NO_RIGHTS)
 				aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_CLASS,
 							   relvar->relname);
 			my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
 		}
 		/*
@ -314,7 +296,7 @@ ExecuteGrantStmt_Relation(GrantStmt *stmt)
 		 * In practice that behavior seems much too noisy, as well as
 		 * inconsistent with the GRANT case.)
 		 */
-		this_privileges = privileges & my_goptions;
+		this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
 		if (stmt->is_grant)
 		{
 			if (this_privileges == 0)
@ -339,17 +321,8 @@ ExecuteGrantStmt_Relation(GrantStmt *stmt)
 		}
 		/*
-		 * If there's no ACL, substitute the proper default.
+		 * Generate new ACL.
-		 */
+		 *
 		aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
 								   &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_RELATION, ownerId);
 		else
 			/* get a detoasted copy of the ACL */
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/*
 		 * We need the members of both old and new ACLs so we can correct
 		 * the shared dependency information.
 		 */
@ -434,7 +407,7 @@ ExecuteGrantStmt_Database(GrantStmt *stmt)
 		Form_pg_database pg_database_tuple;
 		Datum		aclDatum;
 		bool		isNull;
-		AclMode		my_goptions;
+		AclMode		avail_goptions;
 		AclMode		this_privileges;
 		Acl		   *old_acl;
 		Acl		   *new_acl;
@ -462,28 +435,36 @@ ExecuteGrantStmt_Database(GrantStmt *stmt)
 					 errmsg("database \"%s\" does not exist", dbname)));
 		pg_database_tuple = (Form_pg_database) GETSTRUCT(tuple);
 		/*
 		 * Get owner ID and working copy of existing ACL.
 		 * If there's no ACL, substitute the proper default.
 		 */
 		ownerId = pg_database_tuple->datdba;
-		grantorId = select_grantor(ownerId);
+		aclDatum = heap_getattr(tuple, Anum_pg_database_datacl,
 								RelationGetDescr(relation), &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_DATABASE, ownerId);
 		else
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/* Determine ID to do the grant as, and available grant options */
 		select_best_grantor(GetUserId(), privileges,
 							old_acl, ownerId,
 							&grantorId, &avail_goptions);
 		/*
-		 * Must be owner or have some privilege on the object (per spec,
+		 * If we found no grant options, consider whether to issue a hard
-		 * any privilege will get you by here).  The owner is always
+		 * error.  Per spec, having any privilege at all on the object
-		 * treated as having all grant options.
+		 * will get you by here.
 		 */
-		if (pg_database_ownercheck(HeapTupleGetOid(tuple), GetUserId()))
+		if (avail_goptions == ACL_NO_RIGHTS)
 			my_goptions = ACL_ALL_RIGHTS_DATABASE;
 		else
 		{
-			AclMode		my_rights;
+			if (pg_database_aclmask(HeapTupleGetOid(tuple),
-
+									grantorId,
-			my_rights = pg_database_aclmask(HeapTupleGetOid(tuple),
+									ACL_ALL_RIGHTS_DATABASE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_DATABASE),
-											GetUserId(),
+									ACLMASK_ANY) == ACL_NO_RIGHTS)
 											ACL_ALL_RIGHTS_DATABASE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_DATABASE),
 											ACLMASK_ALL);
 			if (my_rights == ACL_NO_RIGHTS)
 				aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_DATABASE,
 							   NameStr(pg_database_tuple->datname));
 			my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
 		}
 		/*
@ -494,7 +475,7 @@ ExecuteGrantStmt_Database(GrantStmt *stmt)
 		 * In practice that behavior seems much too noisy, as well as
 		 * inconsistent with the GRANT case.)
 		 */
-		this_privileges = privileges & my_goptions;
+		this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
 		if (stmt->is_grant)
 		{
 			if (this_privileges == 0)
@ -519,17 +500,8 @@ ExecuteGrantStmt_Database(GrantStmt *stmt)
 		}
 		/*
-		 * If there's no ACL, substitute the proper default.
+		 * Generate new ACL.
-		 */
+		 *
 		aclDatum = heap_getattr(tuple, Anum_pg_database_datacl,
 								RelationGetDescr(relation), &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_DATABASE, ownerId);
 		else
 			/* get a detoasted copy of the ACL */
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/*
 		 * We need the members of both old and new ACLs so we can correct
 		 * the shared dependency information.
 		 */
@ -613,7 +585,7 @@ ExecuteGrantStmt_Function(GrantStmt *stmt)
 		Form_pg_proc pg_proc_tuple;
 		Datum		aclDatum;
 		bool		isNull;
-		AclMode		my_goptions;
+		AclMode		avail_goptions;
 		AclMode		this_privileges;
 		Acl		   *old_acl;
 		Acl		   *new_acl;
@ -638,28 +610,36 @@ ExecuteGrantStmt_Function(GrantStmt *stmt)
 			elog(ERROR, "cache lookup failed for function %u", oid);
 		pg_proc_tuple = (Form_pg_proc) GETSTRUCT(tuple);
 		/*
 		 * Get owner ID and working copy of existing ACL.
 		 * If there's no ACL, substitute the proper default.
 		 */
 		ownerId = pg_proc_tuple->proowner;
-		grantorId = select_grantor(ownerId);
+		aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl,
 								   &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_FUNCTION, ownerId);
 		else
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/* Determine ID to do the grant as, and available grant options */
 		select_best_grantor(GetUserId(), privileges,
 							old_acl, ownerId,
 							&grantorId, &avail_goptions);
 		/*
-		 * Must be owner or have some privilege on the object (per spec,
+		 * If we found no grant options, consider whether to issue a hard
-		 * any privilege will get you by here).  The owner is always
+		 * error.  Per spec, having any privilege at all on the object
-		 * treated as having all grant options.
+		 * will get you by here.
 		 */
-		if (pg_proc_ownercheck(oid, GetUserId()))
+		if (avail_goptions == ACL_NO_RIGHTS)
 			my_goptions = ACL_ALL_RIGHTS_FUNCTION;
 		else
 		{
-			AclMode		my_rights;
+			if (pg_proc_aclmask(oid,
-
+								grantorId,
-			my_rights = pg_proc_aclmask(oid,
+								ACL_ALL_RIGHTS_FUNCTION | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_FUNCTION),
-										GetUserId(),
+								ACLMASK_ANY) == ACL_NO_RIGHTS)
 										ACL_ALL_RIGHTS_FUNCTION | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_FUNCTION),
 										ACLMASK_ALL);
 			if (my_rights == ACL_NO_RIGHTS)
 				aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_PROC,
 							   NameStr(pg_proc_tuple->proname));
 			my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
 		}
 		/*
@ -670,7 +650,7 @@ ExecuteGrantStmt_Function(GrantStmt *stmt)
 		 * In practice that behavior seems much too noisy, as well as
 		 * inconsistent with the GRANT case.)
 		 */
-		this_privileges = privileges & my_goptions;
+		this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
 		if (stmt->is_grant)
 		{
 			if (this_privileges == 0)
@ -695,17 +675,8 @@ ExecuteGrantStmt_Function(GrantStmt *stmt)
 		}
 		/*
-		 * If there's no ACL, substitute the proper default.
+		 * Generate new ACL.
-		 */
+		 *
 		aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl,
 								   &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_FUNCTION, ownerId);
 		else
 			/* get a detoasted copy of the ACL */
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/*
 		 * We need the members of both old and new ACLs so we can correct
 		 * the shared dependency information.
 		 */
@ -788,7 +759,7 @@ ExecuteGrantStmt_Language(GrantStmt *stmt)
 		Form_pg_language pg_language_tuple;
 		Datum		aclDatum;
 		bool		isNull;
-		AclMode		my_goptions;
+		AclMode		avail_goptions;
 		AclMode		this_privileges;
 		Acl		   *old_acl;
 		Acl		   *new_acl;
@ -820,31 +791,38 @@ ExecuteGrantStmt_Language(GrantStmt *stmt)
 			   errhint("Only superusers may use untrusted languages.")));
 		/*
 		 * Get owner ID and working copy of existing ACL.
 		 * If there's no ACL, substitute the proper default.
 		 *
 		 * Note: for now, languages are treated as owned by the bootstrap
 		 * user.  We should add an owner column to pg_language instead.
 		 */
 		ownerId = BOOTSTRAP_SUPERUSERID;
-		grantorId = select_grantor(ownerId);
+		aclDatum = SysCacheGetAttr(LANGNAME, tuple, Anum_pg_language_lanacl,
 								   &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_LANGUAGE, ownerId);
 		else
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/* Determine ID to do the grant as, and available grant options */
 		select_best_grantor(GetUserId(), privileges,
 							old_acl, ownerId,
 							&grantorId, &avail_goptions);
 		/*
-		 * Must be owner or have some privilege on the object (per spec,
+		 * If we found no grant options, consider whether to issue a hard
-		 * any privilege will get you by here).  The owner is always
+		 * error.  Per spec, having any privilege at all on the object
-		 * treated as having all grant options.
+		 * will get you by here.
 		 */
-		if (superuser())		/* XXX no ownercheck() available */
+		if (avail_goptions == ACL_NO_RIGHTS)
 			my_goptions = ACL_ALL_RIGHTS_LANGUAGE;
 		else
 		{
-			AclMode		my_rights;
+			if (pg_language_aclmask(HeapTupleGetOid(tuple),
-
+									grantorId,
-			my_rights = pg_language_aclmask(HeapTupleGetOid(tuple),
+									ACL_ALL_RIGHTS_LANGUAGE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_LANGUAGE),
-											GetUserId(),
+									ACLMASK_ANY) == ACL_NO_RIGHTS)
 											ACL_ALL_RIGHTS_LANGUAGE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_LANGUAGE),
 											ACLMASK_ALL);
 			if (my_rights == ACL_NO_RIGHTS)
 				aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_LANGUAGE,
 							   NameStr(pg_language_tuple->lanname));
 			my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
 		}
 		/*
@ -855,7 +833,7 @@ ExecuteGrantStmt_Language(GrantStmt *stmt)
 		 * In practice that behavior seems much too noisy, as well as
 		 * inconsistent with the GRANT case.)
 		 */
-		this_privileges = privileges & my_goptions;
+		this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
 		if (stmt->is_grant)
 		{
 			if (this_privileges == 0)
@ -880,17 +858,8 @@ ExecuteGrantStmt_Language(GrantStmt *stmt)
 		}
 		/*
-		 * If there's no ACL, substitute the proper default.
+		 * Generate new ACL.
-		 */
+		 *
 		aclDatum = SysCacheGetAttr(LANGNAME, tuple, Anum_pg_language_lanacl,
 								   &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_LANGUAGE, ownerId);
 		else
 			/* get a detoasted copy of the ACL */
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/*
 		 * We need the members of both old and new ACLs so we can correct
 		 * the shared dependency information.
 		 */
@ -973,7 +942,7 @@ ExecuteGrantStmt_Namespace(GrantStmt *stmt)
 		Form_pg_namespace pg_namespace_tuple;
 		Datum		aclDatum;
 		bool		isNull;
-		AclMode		my_goptions;
+		AclMode		avail_goptions;
 		AclMode		this_privileges;
 		Acl		   *old_acl;
 		Acl		   *new_acl;
@ -998,28 +967,37 @@ ExecuteGrantStmt_Namespace(GrantStmt *stmt)
 					 errmsg("schema \"%s\" does not exist", nspname)));
 		pg_namespace_tuple = (Form_pg_namespace) GETSTRUCT(tuple);
 		/*
 		 * Get owner ID and working copy of existing ACL.
 		 * If there's no ACL, substitute the proper default.
 		 */
 		ownerId = pg_namespace_tuple->nspowner;
-		grantorId = select_grantor(ownerId);
+		aclDatum = SysCacheGetAttr(NAMESPACENAME, tuple,
 								   Anum_pg_namespace_nspacl,
 								   &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_NAMESPACE, ownerId);
 		else
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/* Determine ID to do the grant as, and available grant options */
 		select_best_grantor(GetUserId(), privileges,
 							old_acl, ownerId,
 							&grantorId, &avail_goptions);
 		/*
-		 * Must be owner or have some privilege on the object (per spec,
+		 * If we found no grant options, consider whether to issue a hard
-		 * any privilege will get you by here).  The owner is always
+		 * error.  Per spec, having any privilege at all on the object
-		 * treated as having all grant options.
+		 * will get you by here.
 		 */
-		if (pg_namespace_ownercheck(HeapTupleGetOid(tuple), GetUserId()))
+		if (avail_goptions == ACL_NO_RIGHTS)
 			my_goptions = ACL_ALL_RIGHTS_NAMESPACE;
 		else
 		{
-			AclMode		my_rights;
+			if (pg_namespace_aclmask(HeapTupleGetOid(tuple),
-
+									 grantorId,
-			my_rights = pg_namespace_aclmask(HeapTupleGetOid(tuple),
+									 ACL_ALL_RIGHTS_NAMESPACE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_NAMESPACE),
-											 GetUserId(),
+									 ACLMASK_ANY) == ACL_NO_RIGHTS)
 											 ACL_ALL_RIGHTS_NAMESPACE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_NAMESPACE),
 											 ACLMASK_ALL);
 			if (my_rights == ACL_NO_RIGHTS)
 				aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_NAMESPACE,
 							   nspname);
 			my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
 		}
 		/*
@ -1030,7 +1008,7 @@ ExecuteGrantStmt_Namespace(GrantStmt *stmt)
 		 * In practice that behavior seems much too noisy, as well as
 		 * inconsistent with the GRANT case.)
 		 */
-		this_privileges = privileges & my_goptions;
+		this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
 		if (stmt->is_grant)
 		{
 			if (this_privileges == 0)
@ -1055,18 +1033,8 @@ ExecuteGrantStmt_Namespace(GrantStmt *stmt)
 		}
 		/*
-		 * If there's no ACL, substitute the proper default.
+		 * Generate new ACL.
-		 */
+		 *
 		aclDatum = SysCacheGetAttr(NAMESPACENAME, tuple,
 								   Anum_pg_namespace_nspacl,
 								   &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_NAMESPACE, ownerId);
 		else
 			/* get a detoasted copy of the ACL */
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/*
 		 * We need the members of both old and new ACLs so we can correct
 		 * the shared dependency information.
 		 */
@ -1151,7 +1119,7 @@ ExecuteGrantStmt_Tablespace(GrantStmt *stmt)
 		Form_pg_tablespace pg_tablespace_tuple;
 		Datum		aclDatum;
 		bool		isNull;
-		AclMode		my_goptions;
+		AclMode		avail_goptions;
 		AclMode		this_privileges;
 		Acl		   *old_acl;
 		Acl		   *new_acl;
@ -1179,28 +1147,36 @@ ExecuteGrantStmt_Tablespace(GrantStmt *stmt)
 				   errmsg("tablespace \"%s\" does not exist", spcname)));
 		pg_tablespace_tuple = (Form_pg_tablespace) GETSTRUCT(tuple);
 		/*
 		 * Get owner ID and working copy of existing ACL.
 		 * If there's no ACL, substitute the proper default.
 		 */
 		ownerId = pg_tablespace_tuple->spcowner;
-		grantorId = select_grantor(ownerId);
+		aclDatum = heap_getattr(tuple, Anum_pg_tablespace_spcacl,
 								RelationGetDescr(relation), &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_TABLESPACE, ownerId);
 		else
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/* Determine ID to do the grant as, and available grant options */
 		select_best_grantor(GetUserId(), privileges,
 							old_acl, ownerId,
 							&grantorId, &avail_goptions);
 		/*
-		 * Must be owner or have some privilege on the object (per spec,
+		 * If we found no grant options, consider whether to issue a hard
-		 * any privilege will get you by here).  The owner is always
+		 * error.  Per spec, having any privilege at all on the object
-		 * treated as having all grant options.
+		 * will get you by here.
 		 */
-		if (pg_tablespace_ownercheck(HeapTupleGetOid(tuple), GetUserId()))
+		if (avail_goptions == ACL_NO_RIGHTS)
 			my_goptions = ACL_ALL_RIGHTS_TABLESPACE;
 		else
 		{
-			AclMode		my_rights;
+			if (pg_tablespace_aclmask(HeapTupleGetOid(tuple),
-
+									  grantorId,
-			my_rights = pg_tablespace_aclmask(HeapTupleGetOid(tuple),
+									  ACL_ALL_RIGHTS_TABLESPACE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_TABLESPACE),
-											  GetUserId(),
+									  ACLMASK_ANY) == ACL_NO_RIGHTS)
 											  ACL_ALL_RIGHTS_TABLESPACE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_TABLESPACE),
 											  ACLMASK_ALL);
 			if (my_rights == ACL_NO_RIGHTS)
 				aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_TABLESPACE,
 							   spcname);
 			my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
 		}
 		/*
@ -1211,7 +1187,7 @@ ExecuteGrantStmt_Tablespace(GrantStmt *stmt)
 		 * In practice that behavior seems much too noisy, as well as
 		 * inconsistent with the GRANT case.)
 		 */
-		this_privileges = privileges & my_goptions;
+		this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
 		if (stmt->is_grant)
 		{
 			if (this_privileges == 0)
@ -1236,17 +1212,8 @@ ExecuteGrantStmt_Tablespace(GrantStmt *stmt)
 		}
 		/*
-		 * If there's no ACL, substitute the proper default.
+		 * Generate new ACL.
-		 */
+		 *
 		aclDatum = heap_getattr(tuple, Anum_pg_tablespace_spcacl,
 								RelationGetDescr(relation), &isNull);
 		if (isNull)
 			old_acl = acldefault(ACL_OBJECT_TABLESPACE, ownerId);
 		else
 			/* get a detoasted copy of the ACL */
 			old_acl = DatumGetAclPCopy(aclDatum);
 		/*
 		 * We need the members of both old and new ACLs so we can correct
 		 * the shared dependency information.
 		 */
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.124 2005/10/07 19:59:34 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.125 2005/10/10 18:49:03 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -1070,6 +1070,65 @@ aclmask(const Acl *acl, Oid roleid, Oid ownerId,
 }
 /*
 * aclmask_direct --- compute bitmask of all privileges held by roleid.
 *
 * This is exactly like aclmask() except that we consider only privileges
 * held *directly* by roleid, not those inherited via role membership.
 */
 static AclMode
 aclmask_direct(const Acl *acl, Oid roleid, Oid ownerId,
 			   AclMode mask, AclMaskHow how)
 {
 	AclMode		result;
 	AclItem    *aidat;
 	int			i,
 				num;
 	/*
 	 * Null ACL should not happen, since caller should have inserted
 	 * appropriate default
 	 */
 	if (acl == NULL)
 		elog(ERROR, "null ACL");
 	/* Quick exit for mask == 0 */
 	if (mask == 0)
 		return 0;
 	result = 0;
 	/* Owner always implicitly has all grant options */
 	if ((mask & ACLITEM_ALL_GOPTION_BITS) &&
 		roleid == ownerId)
 	{
 		result = mask & ACLITEM_ALL_GOPTION_BITS;
 		if ((how == ACLMASK_ALL) ? (result == mask) : (result != 0))
 			return result;
 	}
 	num = ACL_NUM(acl);
 	aidat = ACL_DAT(acl);
 	/*
 	 * Check privileges granted directly to roleid (and not to public)
 	 */
 	for (i = 0; i < num; i++)
 	{
 		AclItem    *aidata = &aidat[i];
 		if (aidata->ai_grantee == roleid)
 		{
 			result |= aidata->ai_privs & mask;
 			if ((how == ACLMASK_ALL) ? (result == mask) : (result != 0))
 				return result;
 		}
 	}
 	return result;
 }
 /*
 * aclmembers
 *		Find out all the roleids mentioned in an Acl.
@ -2778,37 +2837,33 @@ has_rolinherit(Oid roleid)
 /*
- * Does member have the privileges of role (directly or indirectly)?
+ * Get a list of roles that the specified roleid has the privileges of
 *
 * This is defined not to recurse through roles that don't have rolinherit
 * set; for such roles, membership implies the ability to do SET ROLE, but
 * the privileges are not available until you've done so.
 *
 * Since indirect membership testing is relatively expensive, we cache
- * a list of memberships.
+ * a list of memberships.  Hence, the result is only guaranteed good until
 * the next call of roles_has_privs_of()!
 *
 * For the benefit of select_best_grantor, the result is defined to be
 * in breadth-first order, ie, closer relationships earlier.
 */
-bool
+static List *
-has_privs_of_role(Oid member, Oid role)
+roles_has_privs_of(Oid roleid)
 {
 	List		*roles_list;
 	ListCell	*l;
 	List		*new_cached_privs_roles;
 	MemoryContext	oldctx;
-	/* Fast path for simple case */
+	/* If cache is already valid, just return the list */
-	if (member == role)
+	if (OidIsValid(cached_privs_role) && cached_privs_role == roleid)
-		return true;
+		return cached_privs_roles;
 	/* Superusers have every privilege, so are part of every role */
 	if (superuser_arg(member))
 		return true;
 	/* If cache is already valid, just use the list */
 	if (OidIsValid(cached_privs_role) && cached_privs_role == member)
 		return list_member_oid(cached_privs_roles, role);
 	/* 
-	 * Find all the roles that member is a member of,
+	 * Find all the roles that roleid is a member of,
 	 * including multi-level recursion.  The role itself will always
 	 * be the first element of the resulting list.
 	 *
@ -2818,7 +2873,7 @@ has_privs_of_role(Oid member, Oid role)
 	 * This is a bit tricky but works because the foreach() macro doesn't
 	 * fetch the next list element until the bottom of the loop.
 	 */
-	roles_list = list_make1_oid(member);
+	roles_list = list_make1_oid(roleid);
 	foreach(l, roles_list)
 	{
@ -2863,43 +2918,36 @@ has_privs_of_role(Oid member, Oid role)
 	cached_privs_role = InvalidOid;	/* just paranoia */
 	list_free(cached_privs_roles);
 	cached_privs_roles = new_cached_privs_roles;
-	cached_privs_role = member;
+	cached_privs_role = roleid;
 	/* And now we can return the answer */
-	return list_member_oid(cached_privs_roles, role);
+	return cached_privs_roles;
 }
 /*
- * Is member a member of role (directly or indirectly)?
+ * Get a list of roles that the specified roleid is a member of
 *
 * This is defined to recurse through roles regardless of rolinherit.
 *
 * Since indirect membership testing is relatively expensive, we cache
- * a list of memberships.
+ * a list of memberships.  Hence, the result is only guaranteed good until
 * the next call of roles_is_member_of()!
 */
-bool
+static List *
-is_member_of_role(Oid member, Oid role)
+roles_is_member_of(Oid roleid)
 {
 	List		*roles_list;
 	ListCell	*l;
 	List		*new_cached_membership_roles;
 	MemoryContext	oldctx;
-	/* Fast path for simple case */
+	/* If cache is already valid, just return the list */
-	if (member == role)
+	if (OidIsValid(cached_member_role) && cached_member_role == roleid)
-		return true;
+		return cached_membership_roles;
 	/* Superusers have every privilege, so are part of every role */
 	if (superuser_arg(member))
 		return true;
 	/* If cache is already valid, just use the list */
 	if (OidIsValid(cached_member_role) && cached_member_role == member)
 		return list_member_oid(cached_membership_roles, role);
 	/* 
-	 * Find all the roles that member is a member of,
+	 * Find all the roles that roleid is a member of,
 	 * including multi-level recursion.  The role itself will always
 	 * be the first element of the resulting list.
 	 *
@ -2909,7 +2957,7 @@ is_member_of_role(Oid member, Oid role)
 	 * This is a bit tricky but works because the foreach() macro doesn't
 	 * fetch the next list element until the bottom of the loop.
 	 */
-	roles_list = list_make1_oid(member);
+	roles_list = list_make1_oid(roleid);
 	foreach(l, roles_list)
 	{
@ -2950,10 +2998,60 @@ is_member_of_role(Oid member, Oid role)
 	cached_member_role = InvalidOid;	/* just paranoia */
 	list_free(cached_membership_roles);
 	cached_membership_roles = new_cached_membership_roles;
-	cached_member_role = member;
+	cached_member_role = roleid;
 	/* And now we can return the answer */
-	return list_member_oid(cached_membership_roles, role);
+	return cached_membership_roles;
 }
 /*
 * Does member have the privileges of role (directly or indirectly)?
 *
 * This is defined not to recurse through roles that don't have rolinherit
 * set; for such roles, membership implies the ability to do SET ROLE, but
 * the privileges are not available until you've done so.
 */
 bool
 has_privs_of_role(Oid member, Oid role)
 {
 	/* Fast path for simple case */
 	if (member == role)
 		return true;
 	/* Superusers have every privilege, so are part of every role */
 	if (superuser_arg(member))
 		return true;
 	/* 
 	 * Find all the roles that member has the privileges of, including
 	 * multi-level recursion, then see if target role is any one of them.
 	 */
 	return list_member_oid(roles_has_privs_of(member), role);
 }
 /*
 * Is member a member of role (directly or indirectly)?
 *
 * This is defined to recurse through roles regardless of rolinherit.
 */
 bool
 is_member_of_role(Oid member, Oid role)
 {
 	/* Fast path for simple case */
 	if (member == role)
 		return true;
 	/* Superusers have every privilege, so are part of every role */
 	if (superuser_arg(member))
 		return true;
 	/* 
 	 * Find all the roles that member is a member of, including multi-level
 	 * recursion, then see if target role is any one of them.
 	 */
 	return list_member_oid(roles_is_member_of(member), role);
 }
 /*
@ -3034,3 +3132,113 @@ is_admin_of_role(Oid member, Oid role)
 	return result;
 }
 /* does what it says ... */
 static int
 count_one_bits(AclMode mask)
 {
 	int		nbits = 0;
 	/* this code relies on AclMode being an unsigned type */
 	while (mask)
 	{
 		if (mask & 1)
 			nbits++;
 		mask >>= 1;
 	}
 	return nbits;
 }
 /*
 * Select the effective grantor ID for a GRANT or REVOKE operation.
 *
 * The grantor must always be either the object owner or some role that has
 * been explicitly granted grant options.  This ensures that all granted
 * privileges appear to flow from the object owner, and there are never
 * multiple "original sources" of a privilege.  Therefore, if the would-be
 * grantor is a member of a role that has the needed grant options, we have
 * to do the grant as that role instead.
 *
 * It is possible that the would-be grantor is a member of several roles
 * that have different subsets of the desired grant options, but no one
 * role has 'em all.  In this case we pick a role with the largest number
 * of desired options.  Ties are broken in favor of closer ancestors.
 *
 * roleId: the role attempting to do the GRANT/REVOKE
 * privileges: the privileges to be granted/revoked
 * acl: the ACL of the object in question
 * ownerId: the role owning the object in question
 * *grantorId: receives the OID of the role to do the grant as
 * *grantOptions: receives the grant options actually held by grantorId
 *
 * If no grant options exist, we set grantorId to roleId, grantOptions to 0.
 */
 void
 select_best_grantor(Oid roleId, AclMode privileges,
 					const Acl *acl, Oid ownerId,
 					Oid *grantorId, AclMode *grantOptions)
 {
 	AclMode		needed_goptions = ACL_GRANT_OPTION_FOR(privileges);
 	List		*roles_list;
 	int			nrights;
 	ListCell   *l;
 	/*
 	 * The object owner is always treated as having all grant options,
 	 * so if roleId is the owner it's easy.  Also, if roleId is a superuser
 	 * it's easy: superusers are implicitly members of every role, so they
 	 * act as the object owner.
 	 */
 	if (roleId == ownerId || superuser_arg(roleId))
 	{
 		*grantorId = ownerId;
 		*grantOptions = needed_goptions;
 		return;
 	}
 	/*
 	 * Otherwise we have to do a careful search to see if roleId has the
 	 * privileges of any suitable role.  Note: we can hang onto the result
 	 * of roles_has_privs_of() throughout this loop, because aclmask_direct()
 	 * doesn't query any role memberships.
 	 */
 	roles_list = roles_has_privs_of(roleId);
 	/* initialize candidate result as default */
 	*grantorId = roleId;
 	*grantOptions = ACL_NO_RIGHTS;
 	nrights = 0;
 	foreach(l, roles_list)
 	{
 		Oid		otherrole = lfirst_oid(l);
 		AclMode	otherprivs;
 		otherprivs = aclmask_direct(acl, otherrole, ownerId,
 									needed_goptions, ACLMASK_ALL);
 		if (otherprivs == needed_goptions)
 		{
 			/* Found a suitable grantor */
 			*grantorId = otherrole;
 			*grantOptions = otherprivs;
 			return;
 		}
 		/*
 		 * If it has just some of the needed privileges, remember best
 		 * candidate.
 		 */
 		if (otherprivs != ACL_NO_RIGHTS)
 		{
 			int		nnewrights = count_one_bits(otherprivs);
 			if (nnewrights > nrights)
 			{
 				*grantorId = otherrole;
 				*grantOptions = otherprivs;
 				nrights = nnewrights;
 			}
 		}
 	}
 }
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@ -7,7 +7,7 @@
 * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.83 2005/07/26 16:38:29 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.84 2005/10/10 18:49:04 tgl Exp $
 *
 * NOTES
 *	  An ACL array is simply an array of AclItems, representing the union
@ -215,6 +215,10 @@ extern bool is_member_of_role(Oid member, Oid role);
 extern bool is_admin_of_role(Oid member, Oid role);
 extern void check_is_member_of_role(Oid member, Oid role);
 extern void select_best_grantor(Oid roleId, AclMode privileges,
 								const Acl *acl, Oid ownerId,
 								Oid *grantorId, AclMode *grantOptions);
 extern void initialize_acl(void);
 /*