Commit Graph

67 Commits

Author SHA1 Message Date
Tom Lane c185a57753 Revert "docs: change "default role" wording to "predefined role""
This reverts commit 0e936a2148.

Per discussion, we can't change the section title without some
web-site work, so revert this change temporarily.

Discussion: https://postgr.es/m/157742545062.1149.11052653770497832538@wrigleys.postgresql.org
2020-02-09 14:19:46 -05:00
Bruce Momjian 0e936a2148 docs: change "default role" wording to "predefined role"
The new wording was determined to be more accurate.  Also, update
release note links that reference these sections.

Reported-by: rirans@comcast.net

Discussion: https://postgr.es/m/157742545062.1149.11052653770497832538@wrigleys.postgresql.org

Backpatch-through: 9.6
2020-01-14 13:13:04 -05:00
Tom Lane 458f01e254 Doc: improve documentation of pg_signal_backend default role.
Give it an explanatory para like the other default roles have.
Don't imply that it can send any signal whatever.

In passing, reorder the table entries and explanatory paras
for the default roles into some semblance of consistency.

Ian Barwick, tweaked a bit by me.

Discussion: https://postgr.es/m/89907e32-76f3-7282-a89c-ea19c722fe5d@2ndquadrant.com
2019-08-27 18:03:09 -04:00
Peter Eisentraut f7481d2c3c Documentation spell checking and markup improvements 2018-06-29 21:26:41 +02:00
Stephen Frost 0fdc8495bf Add default roles for file/program access
This patch adds new default roles named 'pg_read_server_files',
'pg_write_server_files', 'pg_execute_server_program' which
allow an administrator to GRANT to a non-superuser role the ability to
access server-side files or run programs through PostgreSQL (as the user
the database is running as).  Having one of these roles allows a
non-superuser to use server-side COPY to read, write, or with a program,
and to use file_fdw (if installed by a superuser and GRANT'd USAGE on
it) to read from files or run a program.

The existing misc file functions are also changed to allow a user with
the 'pg_read_server_files' default role to read any files on the
filesystem, matching the privileges given to that role through COPY and
file_fdw from above.

Reviewed-By: Michael Paquier
Discussion: https://postgr.es/m/20171231191939.GR2416%40tamriel.snowman.net
2018-04-06 14:47:10 -04:00
Noah Misch 5770172cb0 Document security implications of search_path and the public schema.
The ability to create like-named objects in different schemas opens up
the potential for users to change the behavior of other users' queries,
maliciously or accidentally.  When you connect to a PostgreSQL server,
you should remove from your search_path any schema for which a user
other than yourself or superusers holds the CREATE privilege.  If you do
not, other users holding CREATE privilege can redefine the behavior of
your commands, causing them to perform arbitrary SQL statements under
your identity.  "SET search_path = ..." and "SELECT
pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one
can use either as the first command of a session.  As special
exceptions, the following client applications behave as documented
regardless of search_path settings and schema privileges: clusterdb
createdb createlang createuser dropdb droplang dropuser ecpg (not
programs it generates) initdb oid2name pg_archivecleanup pg_basebackup
pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready
pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby
pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb
vacuumlo.  Not included are core client programs that run user-specified
SQL commands, namely psql and pgbench.  PostgreSQL encourages non-core
client applications to do likewise.

Document this in the context of libpq connections, psql connections,
dblink connections, ECPG connections, extension packaging, and schema
usage patterns.  The principal defense for applications is "SELECT
pg_catalog.set_config('search_path', '', false)", and the principal
defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC".
Either one is sufficient to prevent attack.  After a REVOKE, consider
auditing the public schema for objects named like pg_catalog objects.

Authors of SECURITY DEFINER functions use some of the same defenses, and
the CREATE FUNCTION reference page already covered them thoroughly.
This is a good opportunity to audit SECURITY DEFINER functions for
robust security practice.

Back-patch to 9.3 (all supported versions).

Reviewed by Michael Paquier and Jonathan S. Katz.  Reported by Arseniy
Sharoglazov.

Security: CVE-2018-1058
2018-02-26 07:39:44 -08:00
Peter Eisentraut 3c49c6facb Convert documentation to DocBook XML
Since some preparation work had already been done, the only source
changes left were changing empty-element tags like <xref linkend="foo">
to <xref linkend="foo"/>, and changing the DOCTYPE.

The source files are still named *.sgml, but they are actually XML files
now.  Renaming could be considered later.

In the build system, the intermediate step to convert from SGML to XML
is removed.  Everything is build straight from the source files again.
The OpenSP (or the old SP) package is no longer needed.

The documentation toolchain instructions are updated and are much
simpler now.

Peter Eisentraut, Alexander Lakhin, Jürgen Purtz
2017-11-23 09:44:28 -05:00
Stephen Frost 0fe2780db4 Remove inbound links to sql-createuser
CREATE USER is an alias for CREATE ROLE, not its own command any longer,
so clean up references to the 'sql-createuser' link to go to
'sql-createrole' instead.

In passing, change a few cases of 'CREATE USER' to be
'CREATE ROLE ...  LOGIN'.  The remaining cases appear reasonable and
also mention the distinction between 'CREATE ROLE' and 'CREATE USER'.
Also, don't say CREATE USER "assumes" LOGIN, but rather "includes".

Patch-by: David G. Johnston, with assumes->includes by me.
Discussion: https://postgr.es/m/CAKFQuwYrbhKV8hH4TEABrDRBwf=gKremF=mLPQ6X2yGqxgFpYA@mail.gmail.com
2017-10-31 14:04:49 -04:00
Peter Eisentraut c29c578908 Don't use SGML empty tags
For DocBook XML compatibility, don't use SGML empty tags (</>) anymore,
replace by the full tag name.  Add a warning option to catch future
occurrences.

Alexander Lakhin, Jürgen Purtz
2017-10-17 15:10:33 -04:00
Peter Eisentraut bbaf9e8f84 Documentation spell checking and markup improvements 2017-06-18 14:02:12 -04:00
Simon Riggs 25fff40798 Default monitoring roles
Three nologin roles with non-overlapping privs are created by default
* pg_read_all_settings - read all GUCs.
* pg_read_all_stats - pg_stat_*, pg_database_size(), pg_tablespace_size()
* pg_stat_scan_tables - may lock/scan tables

Top level role - pg_monitor includes all of the above by default, plus others

Author: Dave Page
Reviewed-by: Stephen Frost, Robert Haas, Peter Eisentraut, Simon Riggs
2017-03-30 14:18:53 -04:00
Stephen Frost 7a542700df Create default roles
This creates an initial set of default roles which administrators may
use to grant access to, historically, superuser-only functions.  Using
these roles instead of granting superuser access reduces the number of
superuser roles required for a system.  Documention for each of the
default roles has been added to user-manag.sgml.

Bump catversion to 201604082, as we had a commit that bumped it to
201604081 and another that set it back to 201604071...

Reviews by José Luis Tallón and Robert Haas
2016-04-08 16:56:27 -04:00
Tom Lane 63acfb79ab Further improve documentation of the role-dropping process.
In commit 1ea0c73c2 I added a section to user-manag.sgml about how to drop
roles that own objects; but as pointed out by Stephen Frost, I neglected
that shared objects (databases or tablespaces) may need special treatment.
Fix that.  Back-patch to supported versions, like the previous patch.
2015-12-04 14:44:13 -05:00
Tom Lane 1ea0c73c2b Improve documentation of the role-dropping process.
In general one may have to run both REASSIGN OWNED and DROP OWNED to get
rid of all the dependencies of a role to be dropped.  This was alluded to
in the REASSIGN OWNED man page, but not really spelled out in full; and in
any case the procedure ought to be documented in a more prominent place
than that.  Add a section to the "Database Roles" chapter explaining this,
and do a bit of wordsmithing in the relevant commands' man pages.
2015-10-07 16:12:05 -04:00
Peter Eisentraut 741ccd5015 Use gender-neutral language in documentation
Based on patch by Thomas Munro <thomas.munro@enterprisedb.com>, although
I rephrased most of the initial work.
2015-09-21 22:57:29 -04:00
Heikki Linnakangas 00c5f55061 Make superuser imply replication privilege. The idea of a privilege that
superuser doesn't have doesn't make much sense, as a superuser can do
whatever he wants through other means, anyway. So instead of granting
replication privilege to superusers in CREATE USER time by default, allow
replication connection from superusers whether or not they have the
replication privilege.

Patch by Noah Misch, per discussion on bug report #6264
2012-01-14 18:22:16 +02:00
Peter Eisentraut aeabbccea0 Some markup cleanup to deconfuse the find_gt_lt tool
Josh Kupershmidt
2011-08-30 20:32:49 +03:00
Bruce Momjian 7a8f43968a In docs, rename "backwards compatibility" to "backward compatibility"
for consistency.
2011-03-11 14:33:10 -05:00
Bruce Momjian ede45e90dd Update docs about new role privileges reference, per Alvaro. 2011-02-21 09:15:48 -05:00
Bruce Momjian 48d25bac9f Merge two documentation permission chapters into a single chapter. 2011-02-20 22:21:34 -05:00
Magnus Hagander 66a8a0428d Give superusers REPLIACTION permission by default
This can be overriden by using NOREPLICATION on the CREATE ROLE
statement, but by default they will have it, making it backwards
compatible and "less surprising" (given that superusers normally
override all checks).
2011-01-05 14:24:17 +01:00
Magnus Hagander 1996b48285 Add missing part of replication role docs
Noted by Peter E.
2011-01-03 12:00:09 +01:00
Tom Lane d79a1a138e Undo some poorly-thought-out "proofreading improvements".
Per Tatsuhito Kasahara.
2010-10-05 18:48:13 -04:00
Magnus Hagander 9f2e211386 Remove cvs keywords from all files. 2010-09-20 22:08:53 +02:00
Peter Eisentraut 6dcce3985b Remove unnecessary xref endterm attributes and title ids
The endterm attribute is mainly useful when the toolchain does not support
automatic link target text generation for a particular situation.  In  the
past, this was required by the man page tools for all reference page links,
but that is no longer the case, and it now actually gets in the way of
proper automatic link text generation.  The only remaining use cases are
currently xrefs to refsects.
2010-04-03 07:23:02 +00:00
Bruce Momjian bf62b1a078 Proofreading improvements for the Administration documentation book. 2010-02-03 17:25:06 +00:00
Magnus Hagander 53a5026b5c Remove support for (insecure) crypt authentication.
This breaks compatibility with pre-7.2 versions.
2008-10-28 12:10:44 +00:00
Tom Lane a0b76dc662 Create a separate grantable privilege for TRUNCATE, rather than having it be
always owner-only.  The TRUNCATE privilege works identically to the DELETE
privilege so far as interactions with the rest of the system go.

Robert Haas
2008-09-08 00:47:41 +00:00
Bruce Momjian 09a9f10e7f Consistenly use colons before '<programlisting>' blocks, where
appropriate.
2007-02-01 00:28:19 +00:00
Bruce Momjian a134ee3379 Update documentation on may/can/might:
Standard English uses "may", "can", and "might" in different ways:

        may - permission, "You may borrow my rake."

        can - ability, "I can lift that log."

        might - possibility, "It might rain today."

Unfortunately, in conversational English, their use is often mixed, as
in, "You may use this variable to do X", when in fact, "can" is a better
choice.  Similarly, "It may crash" is better stated, "It might crash".

Also update two error messages mentioned in the documenation to match.
2007-01-31 20:56:20 +00:00
Tom Lane 7bae5a289c Get rid of the separate RULE privilege for tables: now only a table's owner
can create or modify rules for the table.  Do setRuleCheckAsUser() while
loading rules into the relcache, rather than when defining a rule.  This
ensures that permission checks for tables referenced in a rule are done with
respect to the current owner of the rule's table, whereas formerly ALTER TABLE
OWNER would fail to update the permission checking for associated rules.
Removal of separate RULE privilege is needed to prevent various scenarios
in which a grantee of RULE privilege could effectively have any privilege
of the table owner.  For backwards compatibility, GRANT/REVOKE RULE is still
accepted, but it doesn't do anything.  Per discussion here:
http://archives.postgresql.org/pgsql-hackers/2006-04/msg01138.php
2006-09-05 21:08:36 +00:00
Tom Lane 9649b182a1 Fix documentation error: GRANT/REVOKE for roles only accept role names
as grantees, not PUBLIC ... and you can't say GROUP either.  Noted by
Brian Hurt.
2006-08-02 16:29:49 +00:00
Tom Lane 82a2881c5b Code review for GRANT CONNECT patch. Spell the privilege as CONNECT not
CONNECTION, fix a number of places that were missed (eg pg_dump support),
avoid executing an extra search of pg_database during startup.
2006-04-30 21:15:33 +00:00
Bruce Momjian 497b5ad928 Make $PostgreSQL CVS tags consistent for SGML files. 2006-03-10 19:10:50 +00:00
Tom Lane c9de6b922e Document the behavior of GRANT/REVOKE in cases where the privilege is
held by means of role membership, rather than directly.  Per discussion
and bug fix of a couple weeks ago.
2005-10-20 19:18:01 +00:00
Neil Conway fc8f4bac0e Fix assorted typos in the documentation, and use American spelling
rather than British. Patch from Michael Fuhr.
2005-10-15 20:12:33 +00:00
Tom Lane 412734767a Improve documentation about CREATEROLE privilege. 2005-10-13 23:26:00 +00:00
Tom Lane 840b7f5205 Update administrator's guide chapters for ROLEs patch. 2005-08-14 23:35:38 +00:00
Tom Lane 6d3f74d801 Update and copy-edit description of privileges. 2005-03-25 16:38:58 +00:00
Bruce Momjian e49da4855c Clarify object ownership language to prevent confusion with database
ownership.
2005-02-25 02:34:56 +00:00
Tom Lane b5adf46cbd Some more small improvements in response to 7.4 interactive docs comments. 2005-01-08 22:13:38 +00:00
Tom Lane 008e9e452f More minor updates and copy-editing. 2004-12-27 22:30:10 +00:00
Neil Conway 9c8d5f0be1 Add a few more <xref> tags to the SGML docs, where appropriate. Original
patch from Michael Glaesemann, additional changes by Neil Conway.
2004-02-17 09:07:16 +00:00
PostgreSQL Daemon 969685ad44 $Header: -> $PostgreSQL Changes ... 2003-11-29 19:52:15 +00:00
Peter Eisentraut cf87eb4726 Upgrade to DocBook V4.2 SGML. 2003-11-24 19:08:02 +00:00
Peter Eisentraut c326d8f4f2 Add/edit index entries. 2003-08-31 17:32:24 +00:00
Tom Lane 18c10877a9 Make various links point to specific places instead of entire parts
(doubtless these are hangovers from the old separate-books days).
2003-08-10 01:20:34 +00:00
Peter Eisentraut 5e5c5cd31a Merge documentation into one book. (Build with "make html".) Replace
vague cross-references with real links.
2003-03-25 16:15:44 +00:00
Peter Eisentraut 706a32cdf6 Big editing for consistent content and presentation. 2003-03-13 01:30:29 +00:00
Peter Eisentraut 1b342df00a Merge documentation updates from 7.3 branch. 2002-11-11 20:14:04 +00:00