From dc6b4deb9717a9f03b2f93baca9f93f13786e26b Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 3 Jan 2002 23:21:32 +0000 Subject: [PATCH] Require ownership permission for CREATE INDEX, per bug report. Disallow CREATE INDEX on system catalogs, non-tables (views, sequences, etc). Disallow CREATE/DROP TRIGGER on system catalogs, non-tables. Disallow ALTER TABLE ADD/DROP CONSTRAINT on system catalogs. Disallow FOREIGN KEY reference to non-table. None of these things can actually work in the present system structure, but the code was letting them pass without complaint. --- src/backend/commands/command.c | 11 ++++++++--- src/backend/commands/indexcmds.c | 25 ++++++++++++++++++------- src/backend/commands/trigger.c | 17 +++++++++++++++-- src/backend/parser/analyze.c | 10 +++++++++- src/backend/tcop/utility.c | 9 ++++++++- 5 files changed, 58 insertions(+), 14 deletions(-) diff --git a/src/backend/commands/command.c b/src/backend/commands/command.c index cab60421e6..646511eb18 100644 --- a/src/backend/commands/command.c +++ b/src/backend/commands/command.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/commands/Attic/command.c,v 1.151 2001/12/04 17:19:48 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/commands/Attic/command.c,v 1.152 2002/01/03 23:19:30 tgl Exp $ * * NOTES * The PerformAddAttribute() code, like most of the relation @@ -716,6 +716,7 @@ AlterTableAlterColumnStatistics(const char *relationName, Relation attrelation; HeapTuple tuple; + /* we allow this on system tables */ #ifndef NO_SECURITY if (!pg_ownercheck(GetUserId(), relationName, RELNAME)) elog(ERROR, "ALTER TABLE: permission denied"); @@ -1190,6 +1191,9 @@ AlterTableAddConstraint(char *relationName, Oid myrelid; List *listptr; + if (!allowSystemTableMods && IsSystemRelationName(relationName)) + elog(ERROR, "ALTER TABLE: relation \"%s\" is a system catalog", + relationName); #ifndef NO_SECURITY if (!pg_ownercheck(GetUserId(), relationName, RELNAME)) elog(ERROR, "ALTER TABLE: permission denied"); @@ -1506,6 +1510,9 @@ AlterTableDropConstraint(const char *relationName, Relation rel; int deleted; + if (!allowSystemTableMods && IsSystemRelationName(relationName)) + elog(ERROR, "ALTER TABLE: relation \"%s\" is a system catalog", + relationName); #ifndef NO_SECURITY if (!pg_ownercheck(GetUserId(), relationName, RELNAME)) elog(ERROR, "ALTER TABLE: permission denied"); @@ -1886,9 +1893,7 @@ needs_toast_table(Relation rel) } /* - * * LOCK TABLE - * */ void LockTableCommand(LockStmt *lockstmt) diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index a22e111ef4..4aa1484435 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/commands/indexcmds.c,v 1.61 2001/11/20 02:46:13 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/commands/indexcmds.c,v 1.62 2002/01/03 23:19:36 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -73,6 +73,7 @@ DefineIndex(char *heapRelationName, Oid *classObjectId; Oid accessMethodId; Oid relationId; + Relation rel; HeapTuple tuple; Form_pg_am accessMethodForm; IndexInfo *indexInfo; @@ -90,12 +91,25 @@ DefineIndex(char *heapRelationName, INDEX_MAX_KEYS); /* - * compute heap relation id + * Open heap relation, acquire a suitable lock on it, remember its OID */ - if ((relationId = RelnameFindRelid(heapRelationName)) == InvalidOid) - elog(ERROR, "DefineIndex: relation \"%s\" not found", + rel = heap_openr(heapRelationName, ShareLock); + + /* Note: during bootstrap may see uncataloged relation */ + if (rel->rd_rel->relkind != RELKIND_RELATION && + rel->rd_rel->relkind != RELKIND_UNCATALOGED) + elog(ERROR, "DefineIndex: relation \"%s\" is not a table", heapRelationName); + relationId = RelationGetRelid(rel); + + heap_close(rel, NoLock); + + if (!IsBootstrapProcessingMode() && + IsSystemRelationName(heapRelationName) && + !IndexesAreActive(relationId, false)) + elog(ERROR, "Existing indexes are inactive. REINDEX first"); + /* * look up the access method, verify it can handle the requested * features @@ -131,9 +145,6 @@ DefineIndex(char *heapRelationName, CheckPredicate(cnfPred, rangetable, relationId); } - if (!IsBootstrapProcessingMode() && IsSystemRelationName(heapRelationName) && !IndexesAreActive(relationId, false)) - elog(ERROR, "Existing indexes are inactive. REINDEX first"); - /* * Prepare arguments for index_create, primarily an IndexInfo * structure diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c index 008774e5a8..8eedda03aa 100644 --- a/src/backend/commands/trigger.c +++ b/src/backend/commands/trigger.c @@ -7,7 +7,7 @@ * Portions Copyright (c) 1994, Regents of the University of California * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/commands/trigger.c,v 1.99 2001/11/16 16:31:16 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/commands/trigger.c,v 1.100 2002/01/03 23:21:23 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -105,6 +105,10 @@ CreateTrigger(CreateTrigStmt *stmt) rel = heap_openr(stmt->relname, AccessExclusiveLock); + if (rel->rd_rel->relkind != RELKIND_RELATION) + elog(ERROR, "CreateTrigger: relation \"%s\" is not a table", + stmt->relname); + TRIGGER_CLEAR_TYPE(tgtype); if (stmt->before) TRIGGER_SETT_BEFORE(tgtype); @@ -315,11 +319,20 @@ DropTrigger(DropTrigStmt *stmt) int found = 0; int tgfound = 0; + if (!allowSystemTableMods && IsSystemRelationName(stmt->relname)) + elog(ERROR, "DropTrigger: can't drop trigger for system relation %s", + stmt->relname); + if (!pg_ownercheck(GetUserId(), stmt->relname, RELNAME)) - elog(ERROR, "%s: %s", stmt->relname, aclcheck_error_strings[ACLCHECK_NOT_OWNER]); + elog(ERROR, "%s: %s", stmt->relname, + aclcheck_error_strings[ACLCHECK_NOT_OWNER]); rel = heap_openr(stmt->relname, AccessExclusiveLock); + if (rel->rd_rel->relkind != RELKIND_RELATION) + elog(ERROR, "DropTrigger: relation \"%s\" is not a table", + stmt->relname); + /* * Search pg_trigger, delete target trigger, count remaining triggers * for relation. Note this is OK only because we have diff --git a/src/backend/parser/analyze.c b/src/backend/parser/analyze.c index 87df6f55e7..413513cfa6 100644 --- a/src/backend/parser/analyze.c +++ b/src/backend/parser/analyze.c @@ -6,7 +6,7 @@ * Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $Header: /cvsroot/pgsql/src/backend/parser/analyze.c,v 1.212 2001/11/12 21:04:45 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/parser/analyze.c,v 1.213 2002/01/03 23:21:31 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -2792,6 +2792,10 @@ transformFkeyCheckAttrs(FkConstraint *fkconstraint, Oid *pktypoid) */ pkrel = heap_openr(fkconstraint->pktable_name, AccessShareLock); + if (pkrel->rd_rel->relkind != RELKIND_RELATION) + elog(ERROR, "Referenced relation \"%s\" is not a table", + fkconstraint->pktable_name); + /* * Get the list of index OIDs for the table from the relcache, and * look up each one in the pg_index syscache for each unique one, and @@ -2881,6 +2885,10 @@ transformFkeyGetPrimaryKey(FkConstraint *fkconstraint, Oid *pktypoid) */ pkrel = heap_openr(fkconstraint->pktable_name, AccessShareLock); + if (pkrel->rd_rel->relkind != RELKIND_RELATION) + elog(ERROR, "Referenced relation \"%s\" is not a table", + fkconstraint->pktable_name); + /* * Get the list of index OIDs for the table from the relcache, and * look up each one in the pg_index syscache until we find one marked diff --git a/src/backend/tcop/utility.c b/src/backend/tcop/utility.c index 4755025a9d..f8cf6310a5 100644 --- a/src/backend/tcop/utility.c +++ b/src/backend/tcop/utility.c @@ -10,7 +10,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/tcop/utility.c,v 1.123 2001/11/20 02:46:13 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/tcop/utility.c,v 1.124 2002/01/03 23:21:32 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -532,6 +532,13 @@ ProcessUtility(Node *parsetree, set_ps_display(commandTag = "CREATE"); + relname = stmt->relname; + if (!allowSystemTableMods && IsSystemRelationName(relname)) + elog(ERROR, "CREATE INDEX: relation \"%s\" is a system catalog", + relname); + if (!pg_ownercheck(GetUserId(), relname, RELNAME)) + elog(ERROR, "permission denied"); + DefineIndex(stmt->relname, /* relation name */ stmt->idxname, /* index name */ stmt->accessMethod, /* am name */