From 97d625dd1cf766e25815e1f6d5e5ee845f7b1030 Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Wed, 26 May 2004 18:35:51 +0000 Subject: [PATCH] *) inet_(client|server)_(addr|port)() and necessary documentation for the four functions. > Also, please justify the temp-related changes. I was not aware that we > had any breakage there. patch-tmp-schema.txt contains the following bits: *) Changes pg_namespace_aclmask() so that the superuser is always able to create objects in the temp namespace. *) Changes pg_namespace_aclmask() so that if this is a temp namespace, objects are only allowed to be created in the temp namespace if the user has TEMP privs on the database. This encompasses all object creation, not just TEMP tables. *) InitTempTableNamespace() checks to see if the current user, not the session user, has access to create a temp namespace. The first two changes are necessary to support the third change. Now it's possible to revoke all temp table privs from non-super users and limiting all creation of temp tables/schemas via a function that's executed with elevated privs (security definer). Before this change, it was not possible to have a setuid function to create a temp table/schema if the session user had no TEMP privs. patch-area-path.txt contains: *) Can now determine the area of a closed path. patch-dfmgr.txt contains: *) Small tweak to add the library path that's being expanded. I was using $lib/foo.so and couldn't easily figure out what the error message, "invalid macro name in dynamic library path" meant without looking through the source code. With the path in there, at least I know where to start looking in my config file. Sean Chittenden --- doc/src/sgml/func.sgml | 37 +++++++++- src/backend/catalog/aclchk.c | 26 +++++-- src/backend/catalog/namespace.c | 10 +-- src/backend/libpq/hba.c | 12 ++- src/backend/libpq/ip.c | 6 +- src/backend/libpq/pqcomm.c | 5 +- src/backend/postmaster/postmaster.c | 8 +- src/backend/utils/adt/geo_ops.c | 23 +++++- src/backend/utils/adt/network.c | 109 +++++++++++++++++++++++++++- src/backend/utils/fmgr/dfmgr.c | 4 +- src/include/catalog/pg_proc.h | 13 +++- src/include/utils/builtins.h | 6 +- src/include/utils/geo_decls.h | 3 +- src/interfaces/libpq/fe-connect.c | 5 +- 14 files changed, 234 insertions(+), 33 deletions(-) diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml index 3ead134679..82081e514f 100644 --- a/doc/src/sgml/func.sgml +++ b/doc/src/sgml/func.sgml @@ -1,5 +1,5 @@ @@ -6592,6 +6592,30 @@ SELECT NULLIF(value, '(none)') ... user name of current execution context + + inet_client_addr + inet + address of the remote connection + + + + inet_client_port + int4 + port of the remote connection + + + + inet_server_addr + inet + address of the local connection + + + + inet_server_port + int4 + port of the local connection + + session_user name @@ -6647,6 +6671,17 @@ SELECT NULLIF(value, '(none)') ... + + inet_client_addr and + inet_server_addr return the IPv4 or IPv6 (if + configured) address of the remote or local host connecting to the + database, respectively. inet_client_port + and inet_server_port return the port number + of the remote or local host connecting to the database, + respectively. If the connection is not a network connection, + these functions will return NULL. + + current_schema returns the name of the schema that is at the front of the search path (or a null value if the search path is diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index cabeb69088..cc64d70930 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.99 2004/05/26 04:41:06 neilc Exp $ + * $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.100 2004/05/26 18:35:32 momjian Exp $ * * NOTES * See acl.h. @@ -1342,17 +1342,27 @@ pg_namespace_aclmask(Oid nsp_oid, AclId userid, bool isNull; Acl *acl; - /* - * If we have been assigned this namespace as a temp namespace, assume - * we have all grantable privileges on it. - */ - if (isTempNamespace(nsp_oid)) - return mask; - /* Superusers bypass all permission checking. */ if (superuser_arg(userid)) return mask; + /* + * If we have been assigned this namespace as a temp + * namespace, check to make sure we have CREATE permissions on + * the database. + * + * Instead of returning ACLCHECK_NO_PRIV, should we return via + * ereport() with a message about trying to create an object + * in a TEMP namespace when GetUserId() doesn't have perms? + */ + if (isTempNamespace(nsp_oid)) { + if (pg_database_aclcheck(MyDatabaseId, GetUserId(), + ACL_CREATE_TEMP) == ACLCHECK_OK) + return ACLCHECK_OK; + else + return ACLCHECK_NO_PRIV; + } + /* * Get the schema's ACL from pg_namespace */ diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c index e9b5a35ba7..1b59e81a4c 100644 --- a/src/backend/catalog/namespace.c +++ b/src/backend/catalog/namespace.c @@ -13,7 +13,7 @@ * Portions Copyright (c) 1994, Regents of the University of California * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/catalog/namespace.c,v 1.64 2004/05/26 04:41:07 neilc Exp $ + * $PostgreSQL: pgsql/src/backend/catalog/namespace.c,v 1.65 2004/05/26 18:35:32 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -1640,11 +1640,11 @@ InitTempTableNamespace(void) * tables. We use a nonstandard error message here since * "databasename: permission denied" might be a tad cryptic. * - * Note we apply the check to the session user, not the currently active - * userid, since we are not going to change our minds about temp table - * availability during the session. + * ACL_CREATE_TEMP perms are also checked in + * pg_namespace_aclcheck() that way only users who have TEMP + * perms can create objects. */ - if (pg_database_aclcheck(MyDatabaseId, GetSessionUserId(), + if (pg_database_aclcheck(MyDatabaseId, GetUserId(), ACL_CREATE_TEMP) != ACLCHECK_OK) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 25666af690..f9423a4e63 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -10,7 +10,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.123 2004/05/26 04:41:18 neilc Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.124 2004/05/26 18:35:33 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -1345,8 +1345,11 @@ ident_inet(const SockAddr remote_addr, hints.ai_addr = NULL; hints.ai_next = NULL; rc = getaddrinfo_all(remote_addr_s, ident_port, &hints, &ident_serv); - if (rc || !ident_serv) + if (rc || !ident_serv) { + if (ident_serv) + freeaddrinfo_all(hints.ai_family, ident_serv); return false; /* we don't expect this to happen */ + } hints.ai_flags = AI_NUMERICHOST; hints.ai_family = local_addr.addr.ss_family; @@ -1357,8 +1360,11 @@ ident_inet(const SockAddr remote_addr, hints.ai_addr = NULL; hints.ai_next = NULL; rc = getaddrinfo_all(local_addr_s, NULL, &hints, &la); - if (rc || !la) + if (rc || !la) { + if (la) + freeaddrinfo_all(hints.ai_family, la); return false; /* we don't expect this to happen */ + } sock_fd = socket(ident_serv->ai_family, ident_serv->ai_socktype, ident_serv->ai_protocol); diff --git a/src/backend/libpq/ip.c b/src/backend/libpq/ip.c index bc6a7b98d8..c8e3164978 100644 --- a/src/backend/libpq/ip.c +++ b/src/backend/libpq/ip.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/ip.c,v 1.25 2004/04/24 20:10:34 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/ip.c,v 1.26 2004/05/26 18:35:33 momjian Exp $ * * This file and the IPV6 implementation were initially provided by * Nigel Kukard , Linux Based Systems Design @@ -73,11 +73,11 @@ getaddrinfo_all(const char *hostname, const char *servname, *result = NULL; #ifdef HAVE_UNIX_SOCKETS - if (hintp != NULL && hintp->ai_family == AF_UNIX) + if (hintp->ai_family == AF_UNIX) return getaddrinfo_unix(servname, hintp, result); #endif - /* NULL has special meaning to getaddrinfo */ + /* NULL has special meaning to getaddrinfo(). */ return getaddrinfo((!hostname || hostname[0] == '\0') ? NULL : hostname, servname, hintp, result); } diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c index 2252d8f5f0..f3dcb0d98a 100644 --- a/src/backend/libpq/pqcomm.c +++ b/src/backend/libpq/pqcomm.c @@ -30,7 +30,7 @@ * Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/backend/libpq/pqcomm.c,v 1.168 2003/12/12 18:45:08 petere Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/pqcomm.c,v 1.169 2004/05/26 18:35:33 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -251,7 +251,8 @@ StreamServerPort(int family, char *hostName, unsigned short portNumber, ereport(LOG, (errmsg("could not translate service \"%s\" to address: %s", service, gai_strerror(ret)))); - freeaddrinfo_all(hint.ai_family, addrs); + if (addrs) + freeaddrinfo_all(hint.ai_family, addrs); return STATUS_ERROR; } diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c index 01c2ed3eaf..3ccbd49fba 100644 --- a/src/backend/postmaster/postmaster.c +++ b/src/backend/postmaster/postmaster.c @@ -37,7 +37,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/postmaster/postmaster.c,v 1.394 2004/05/23 03:50:45 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/postmaster/postmaster.c,v 1.395 2004/05/26 18:35:35 momjian Exp $ * * NOTES * @@ -2469,10 +2469,14 @@ BackendInit(Port *port) remote_port, sizeof(remote_port), (log_hostname ? 0 : NI_NUMERICHOST) | NI_NUMERICSERV)) { - getnameinfo_all(&port->raddr.addr, port->raddr.salen, + int ret = getnameinfo_all(&port->raddr.addr, port->raddr.salen, remote_host, sizeof(remote_host), remote_port, sizeof(remote_port), NI_NUMERICHOST | NI_NUMERICSERV); + if (ret) + ereport(WARNING, + (errmsg("getnameinfo_all() failed: %s", + gai_strerror(ret)))); } snprintf(remote_ps_data, sizeof(remote_ps_data), remote_port[0] == '\0' ? "%s" : "%s(%s)", diff --git a/src/backend/utils/adt/geo_ops.c b/src/backend/utils/adt/geo_ops.c index 4236be5471..0dd5f2a75c 100644 --- a/src/backend/utils/adt/geo_ops.c +++ b/src/backend/utils/adt/geo_ops.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/adt/geo_ops.c,v 1.84 2004/05/12 22:38:44 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/utils/adt/geo_ops.c,v 1.85 2004/05/26 18:35:38 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -1312,6 +1312,27 @@ line_interpt_internal(LINE *l1, LINE *l2) * "(closed, npts, xcoord, ycoord,... )" *---------------------------------------------------------*/ +Datum +path_area(PG_FUNCTION_ARGS) +{ + PATH *path = PG_GETARG_PATH_P(0); + double area = 0.0; + int i,j; + + if (!path->closed) + PG_RETURN_NULL(); + + for (i = 0; i < path->npts; i++) { + j = (i + 1) % path->npts; + area += path->p[i].x * path->p[j].y; + area -= path->p[i].y * path->p[j].x; + } + + area *= 0.5; + PG_RETURN_FLOAT8(area < 0.0 ? -area : area); +} + + Datum path_in(PG_FUNCTION_ARGS) { diff --git a/src/backend/utils/adt/network.c b/src/backend/utils/adt/network.c index acad79dec6..49e2694261 100644 --- a/src/backend/utils/adt/network.c +++ b/src/backend/utils/adt/network.c @@ -1,7 +1,7 @@ /* * PostgreSQL type definitions for the INET and CIDR types. * - * $PostgreSQL: pgsql/src/backend/utils/adt/network.c,v 1.49 2003/12/01 18:50:19 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/utils/adt/network.c,v 1.50 2004/05/26 18:35:38 momjian Exp $ * * Jon Postel RIP 16 Oct 1998 */ @@ -14,7 +14,10 @@ #include #include "catalog/pg_type.h" +#include "libpq/ip.h" +#include "libpq/libpq-be.h" #include "libpq/pqformat.h" +#include "miscadmin.h" #include "utils/builtins.h" #include "utils/inet.h" @@ -130,6 +133,110 @@ cidr_in(PG_FUNCTION_ARGS) PG_RETURN_INET_P(network_in(src, 1)); } +/* INET that the client is connecting from */ +Datum +inet_client_addr(PG_FUNCTION_ARGS) +{ + Port *port = MyProcPort; + + if (port == NULL) + PG_RETURN_NULL(); + + switch (port->raddr.addr.ss_family) { + case AF_INET: +#ifdef HAVE_IPV6 + case AF_INET6: +#endif + break; + default: + PG_RETURN_NULL(); + } + + PG_RETURN_INET_P(network_in(port->remote_host, 0)); +} + + +/* port that the client is connecting from */ +Datum +inet_client_port(PG_FUNCTION_ARGS) +{ + Port *port = MyProcPort; + + if (port == NULL) + PG_RETURN_NULL(); + + PG_RETURN_INT32(DirectFunctionCall1(int4in, CStringGetDatum(port->remote_port))); +} + + +/* server INET that the client connected to */ +Datum +inet_server_addr(PG_FUNCTION_ARGS) +{ + Port *port = MyProcPort; + char local_host[NI_MAXHOST]; + int ret; + + if (port == NULL) + PG_RETURN_NULL(); + + switch (port->laddr.addr.ss_family) { + case AF_INET: +#ifdef HAVE_IPV6 + case AF_INET6: +#endif + break; + default: + PG_RETURN_NULL(); + } + + local_host[0] = '\0'; + + ret = getnameinfo_all(&port->laddr.addr, port->laddr.salen, + local_host, sizeof(local_host), + NULL, 0, + NI_NUMERICHOST | NI_NUMERICSERV); + if (ret) + PG_RETURN_NULL(); + + PG_RETURN_INET_P(network_in(local_host, 0)); +} + + +/* port that the server accepted the connection on */ +Datum +inet_server_port(PG_FUNCTION_ARGS) +{ + Port *port = MyProcPort; + char local_port[NI_MAXSERV]; + int ret; + + if (port == NULL) + PG_RETURN_NULL(); + + switch (port->laddr.addr.ss_family) { + case AF_INET: +#ifdef HAVE_IPV6 + case AF_INET6: +#endif + break; + default: + PG_RETURN_NULL(); + } + + local_port[0] = '\0'; + + ret = getnameinfo_all(&port->laddr.addr, port->laddr.salen, + NULL, 0, + local_port, sizeof(local_port), + NI_NUMERICHOST | NI_NUMERICSERV); + if (ret) + PG_RETURN_NULL(); + + PG_RETURN_INT32(DirectFunctionCall1(int4in, CStringGetDatum(local_port))); +} + + /* * INET address output function. */ diff --git a/src/backend/utils/fmgr/dfmgr.c b/src/backend/utils/fmgr/dfmgr.c index 3aeadfa20e..0d1bfc3b20 100644 --- a/src/backend/utils/fmgr/dfmgr.c +++ b/src/backend/utils/fmgr/dfmgr.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/fmgr/dfmgr.c,v 1.72 2004/05/17 14:35:31 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/utils/fmgr/dfmgr.c,v 1.73 2004/05/26 18:35:39 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -350,7 +350,7 @@ substitute_libpath_macro(const char *name) strncmp(name, "$libdir", strlen("$libdir")) != 0) ereport(ERROR, (errcode(ERRCODE_INVALID_NAME), - errmsg("invalid macro name in dynamic library path"))); + errmsg("invalid macro name in dynamic library path: %s", name))); ret = palloc(strlen(pkglib_path) + strlen(sep_ptr) + 1); diff --git a/src/include/catalog/pg_proc.h b/src/include/catalog/pg_proc.h index 22af7a66be..b198d713b6 100644 --- a/src/include/catalog/pg_proc.h +++ b/src/include/catalog/pg_proc.h @@ -7,7 +7,7 @@ * Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/catalog/pg_proc.h,v 1.331 2004/05/26 18:14:36 momjian Exp $ + * $PostgreSQL: pgsql/src/include/catalog/pg_proc.h,v 1.332 2004/05/26 18:35:43 momjian Exp $ * * NOTES * The script catalog/genbki.sh reads this file and generates .bki @@ -1259,6 +1259,8 @@ DATA(insert OID = 977 ( height PGNSP PGUID 12 f f t f i 1 701 "603" _null_ DESCR("box height"); DATA(insert OID = 978 ( box_distance PGNSP PGUID 12 f f t f i 2 701 "603 603" _null_ box_distance - _null_ )); DESCR("distance between boxes"); +DATA(insert OID = 979 ( area PGNSP PGUID 12 f f t f i 1 701 "602" _null_ path_area - _null_ )); +DESCR("area of a closed path"); DATA(insert OID = 980 ( box_intersect PGNSP PGUID 12 f f t f i 2 603 "603 603" _null_ box_intersect - _null_ )); DESCR("box intersection (another box)"); DATA(insert OID = 981 ( diagonal PGNSP PGUID 12 f f t f i 1 601 "603" _null_ box_diagonal - _null_ )); @@ -2344,6 +2346,15 @@ DESCR("I/O"); DATA(insert OID = 911 ( inet_out PGNSP PGUID 12 f f t f i 1 2275 "869" _null_ inet_out - _null_ )); DESCR("I/O"); +DATA(insert OID = 912 ( inet_client_addr PGNSP PGUID 12 f f f f s 0 869 "" _null_ inet_client_addr - _null_ )); +DESCR("Returns the INET address of the client connected to the backend"); +DATA(insert OID = 913 ( inet_client_port PGNSP PGUID 12 f f f f s 0 23 "" _null_ inet_client_port - _null_ )); +DESCR("Returns the client's port number for this connection"); +DATA(insert OID = 914 ( inet_server_addr PGNSP PGUID 12 f f f f s 0 869 "" _null_ inet_server_addr - _null_ )); +DESCR("Returns the INET address that the backend is using to service the connection"); +DATA(insert OID = 915 ( inet_server_port PGNSP PGUID 12 f f f f s 0 23 "" _null_ inet_server_port - _null_ )); +DESCR("Returns the servers's port number for this connection"); + /* for cidr type support */ DATA(insert OID = 1267 ( cidr_in PGNSP PGUID 12 f f t f i 1 650 "2275" _null_ cidr_in - _null_ )); DESCR("I/O"); diff --git a/src/include/utils/builtins.h b/src/include/utils/builtins.h index e4eb5dbdee..267ededb13 100644 --- a/src/include/utils/builtins.h +++ b/src/include/utils/builtins.h @@ -7,7 +7,7 @@ * Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/utils/builtins.h,v 1.239 2004/05/26 15:26:18 momjian Exp $ + * $PostgreSQL: pgsql/src/include/utils/builtins.h,v 1.240 2004/05/26 18:35:46 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -647,6 +647,10 @@ extern int inet_net_pton(int af, const char *src, void *dst, size_t size); /* network.c */ +extern Datum inet_client_addr(PG_FUNCTION_ARGS); +extern Datum inet_client_port(PG_FUNCTION_ARGS); +extern Datum inet_server_addr(PG_FUNCTION_ARGS); +extern Datum inet_server_port(PG_FUNCTION_ARGS); extern Datum inet_in(PG_FUNCTION_ARGS); extern Datum inet_out(PG_FUNCTION_ARGS); extern Datum inet_recv(PG_FUNCTION_ARGS); diff --git a/src/include/utils/geo_decls.h b/src/include/utils/geo_decls.h index 84133731bd..e4f2b6855b 100644 --- a/src/include/utils/geo_decls.h +++ b/src/include/utils/geo_decls.h @@ -6,7 +6,7 @@ * Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/utils/geo_decls.h,v 1.43 2003/11/29 22:41:15 pgsql Exp $ + * $PostgreSQL: pgsql/src/include/utils/geo_decls.h,v 1.44 2004/05/26 18:35:47 momjian Exp $ * * NOTE * These routines do *not* use the float types from adt/. @@ -305,6 +305,7 @@ extern Datum box_mul(PG_FUNCTION_ARGS); extern Datum box_div(PG_FUNCTION_ARGS); /* public path routines */ +extern Datum path_area(PG_FUNCTION_ARGS); extern Datum path_in(PG_FUNCTION_ARGS); extern Datum path_out(PG_FUNCTION_ARGS); extern Datum path_recv(PG_FUNCTION_ARGS); diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 828a8452a1..1cfc6808c5 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.270 2004/05/21 20:56:49 tgl Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.271 2004/05/26 18:35:51 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -946,7 +946,8 @@ connectDBStart(PGconn *conn) printfPQExpBuffer(&conn->errorMessage, libpq_gettext("could not translate Unix-domain socket path \"%s\" to address: %s\n"), portstr, gai_strerror(ret)); - freeaddrinfo_all(hint.ai_family, addrs); + if (addrs) + freeaddrinfo_all(hint.ai_family, addrs); goto connect_errReturn; }