rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do not allow removal of superuser privileges from bootstrap user. 

A bootstrap user who is not a superuser will still own many
important system objects, such as the pg_catalog schema, that
will likely allow that user to regain superuser status. Therefore,
allowing the superuser property to be removed from the superuser
creates a false perception of security where none exists.

Although removing superuser from the bootstrap user is also a bad idea
and should be considered unsupported in all released versions, no
back-patch, as this is a behavior change.

Discussion: http://postgr.es/m/CA+TgmoZirCwArJms_fgvLBFrC6b=HdxmG7iAhv+kt_=NBA7tEw@mail.gmail.com
This commit is contained in:
Robert Haas 2022-07-26 14:10:38 -04:00
parent f92944137c
commit e530be2c5c
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/backend/commands/user.c
View File

@ -693,7 +693,14 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
*/
if (dissuper)
{
new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(boolVal(dissuper->arg));
bool should_be_super = BoolGetDatum(boolVal(dissuper->arg));
if (!should_be_super && roleid == BOOTSTRAP_SUPERUSERID)
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("permission denied: bootstrap user must be superuser")));
new_record[Anum_pg_authid_rolsuper - 1] = should_be_super;
new_record_repl[Anum_pg_authid_rolsuper - 1] = true;
}