/*------------------------------------------------------------------------- * * aclchk.c * Routines to check access control permissions. * * Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * * * IDENTIFICATION * $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.152 2009/01/22 20:16:00 tgl Exp $ * * NOTES * See acl.h. * *------------------------------------------------------------------------- */ #include "postgres.h" #include "access/genam.h" #include "access/heapam.h" #include "access/sysattr.h" #include "access/xact.h" #include "catalog/catalog.h" #include "catalog/dependency.h" #include "catalog/indexing.h" #include "catalog/pg_authid.h" #include "catalog/pg_conversion.h" #include "catalog/pg_database.h" #include "catalog/pg_foreign_data_wrapper.h" #include "catalog/pg_foreign_server.h" #include "catalog/pg_language.h" #include "catalog/pg_namespace.h" #include "catalog/pg_opclass.h" #include "catalog/pg_operator.h" #include "catalog/pg_opfamily.h" #include "catalog/pg_proc.h" #include "catalog/pg_tablespace.h" #include "catalog/pg_type.h" #include "catalog/pg_ts_config.h" #include "catalog/pg_ts_dict.h" #include "commands/dbcommands.h" #include "foreign/foreign.h" #include "miscadmin.h" #include "parser/parse_func.h" #include "utils/acl.h" #include "utils/fmgroids.h" #include "utils/lsyscache.h" #include "utils/rel.h" #include "utils/syscache.h" #include "utils/tqual.h" static void ExecGrant_Relation(InternalGrant *grantStmt); static void ExecGrant_Database(InternalGrant *grantStmt); static void ExecGrant_Fdw(InternalGrant *grantStmt); static void ExecGrant_ForeignServer(InternalGrant *grantStmt); static void ExecGrant_Function(InternalGrant *grantStmt); static void ExecGrant_Language(InternalGrant *grantStmt); static void ExecGrant_Namespace(InternalGrant *grantStmt); static void ExecGrant_Tablespace(InternalGrant *grantStmt); static List *objectNamesToOids(GrantObjectType objtype, List *objnames); static void expand_col_privileges(List *colnames, Oid table_oid, AclMode this_privileges, AclMode *col_privileges, int num_col_privileges); static void expand_all_col_privileges(Oid table_oid, Form_pg_class classForm, AclMode this_privileges, AclMode *col_privileges, int num_col_privileges); static AclMode string_to_privilege(const char *privname); static const char *privilege_to_string(AclMode privilege); static AclMode restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs, AclMode privileges, Oid objectId, Oid grantorId, AclObjectKind objkind, const char *objname, AttrNumber att_number, const char *colname); static AclMode pg_aclmask(AclObjectKind objkind, Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how); #ifdef ACLDEBUG static void dumpacl(Acl *acl) { int i; AclItem *aip; elog(DEBUG2, "acl size = %d, # acls = %d", ACL_SIZE(acl), ACL_NUM(acl)); aip = ACL_DAT(acl); for (i = 0; i < ACL_NUM(acl); ++i) elog(DEBUG2, " acl[%d]: %s", i, DatumGetCString(DirectFunctionCall1(aclitemout, PointerGetDatum(aip + i)))); } #endif /* ACLDEBUG */ /* * If is_grant is true, adds the given privileges for the list of * grantees to the existing old_acl. If is_grant is false, the * privileges for the given grantees are removed from old_acl. * * NB: the original old_acl is pfree'd. */ static Acl * merge_acl_with_grant(Acl *old_acl, bool is_grant, bool grant_option, DropBehavior behavior, List *grantees, AclMode privileges, Oid grantorId, Oid ownerId) { unsigned modechg; ListCell *j; Acl *new_acl; modechg = is_grant ? ACL_MODECHG_ADD : ACL_MODECHG_DEL; #ifdef ACLDEBUG dumpacl(old_acl); #endif new_acl = old_acl; foreach(j, grantees) { AclItem aclitem; Acl *newer_acl; aclitem.ai_grantee = lfirst_oid(j); /* * Grant options can only be granted to individual roles, not PUBLIC. * The reason is that if a user would re-grant a privilege that he * held through PUBLIC, and later the user is removed, the situation * is impossible to clean up. */ if (is_grant && grant_option && aclitem.ai_grantee == ACL_ID_PUBLIC) ereport(ERROR, (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("grant options can only be granted to roles"))); aclitem.ai_grantor = grantorId; /* * The asymmetry in the conditions here comes from the spec. In * GRANT, the grant_option flag signals WITH GRANT OPTION, which means * to grant both the basic privilege and its grant option. But in * REVOKE, plain revoke revokes both the basic privilege and its grant * option, while REVOKE GRANT OPTION revokes only the option. */ ACLITEM_SET_PRIVS_GOPTIONS(aclitem, (is_grant || !grant_option) ? privileges : ACL_NO_RIGHTS, (!is_grant || grant_option) ? privileges : ACL_NO_RIGHTS); newer_acl = aclupdate(new_acl, &aclitem, modechg, ownerId, behavior); /* avoid memory leak when there are many grantees */ pfree(new_acl); new_acl = newer_acl; #ifdef ACLDEBUG dumpacl(new_acl); #endif } return new_acl; } /* * Restrict the privileges to what we can actually grant, and emit * the standards-mandated warning and error messages. */ static AclMode restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs, AclMode privileges, Oid objectId, Oid grantorId, AclObjectKind objkind, const char *objname, AttrNumber att_number, const char *colname) { AclMode this_privileges; AclMode whole_mask; switch (objkind) { case ACL_KIND_COLUMN: whole_mask = ACL_ALL_RIGHTS_COLUMN; break; case ACL_KIND_CLASS: whole_mask = ACL_ALL_RIGHTS_RELATION; break; case ACL_KIND_SEQUENCE: whole_mask = ACL_ALL_RIGHTS_SEQUENCE; break; case ACL_KIND_DATABASE: whole_mask = ACL_ALL_RIGHTS_DATABASE; break; case ACL_KIND_PROC: whole_mask = ACL_ALL_RIGHTS_FUNCTION; break; case ACL_KIND_LANGUAGE: whole_mask = ACL_ALL_RIGHTS_LANGUAGE; break; case ACL_KIND_NAMESPACE: whole_mask = ACL_ALL_RIGHTS_NAMESPACE; break; case ACL_KIND_TABLESPACE: whole_mask = ACL_ALL_RIGHTS_TABLESPACE; break; case ACL_KIND_FDW: whole_mask = ACL_ALL_RIGHTS_FDW; break; case ACL_KIND_FOREIGN_SERVER: whole_mask = ACL_ALL_RIGHTS_FOREIGN_SERVER; break; default: elog(ERROR, "unrecognized object kind: %d", objkind); /* not reached, but keep compiler quiet */ return ACL_NO_RIGHTS; } /* * If we found no grant options, consider whether to issue a hard error. * Per spec, having any privilege at all on the object will get you by * here. */ if (avail_goptions == ACL_NO_RIGHTS) { if (pg_aclmask(objkind, objectId, att_number, grantorId, whole_mask | ACL_GRANT_OPTION_FOR(whole_mask), ACLMASK_ANY) == ACL_NO_RIGHTS) { if (objkind == ACL_KIND_COLUMN && colname) aclcheck_error_col(ACLCHECK_NO_PRIV, objkind, objname, colname); else aclcheck_error(ACLCHECK_NO_PRIV, objkind, objname); } } /* * Restrict the operation to what we can actually grant or revoke, and * issue a warning if appropriate. (For REVOKE this isn't quite what the * spec says to do: the spec seems to want a warning only if no privilege * bits actually change in the ACL. In practice that behavior seems much * too noisy, as well as inconsistent with the GRANT case.) */ this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions); if (is_grant) { if (this_privileges == 0) ereport(WARNING, (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED), errmsg("no privileges were granted for \"%s\"", objname))); else if (!all_privs && this_privileges != privileges) ereport(WARNING, (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED), errmsg("not all privileges were granted for \"%s\"", objname))); } else { if (this_privileges == 0) ereport(WARNING, (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED), errmsg("no privileges could be revoked for \"%s\"", objname))); else if (!all_privs && this_privileges != privileges) ereport(WARNING, (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED), errmsg("not all privileges could be revoked for \"%s\"", objname))); } return this_privileges; } /* * Called to execute the utility commands GRANT and REVOKE */ void ExecuteGrantStmt(GrantStmt *stmt) { InternalGrant istmt; ListCell *cell; const char *errormsg; AclMode all_privileges; /* * Turn the regular GrantStmt into the InternalGrant form. */ istmt.is_grant = stmt->is_grant; istmt.objtype = stmt->objtype; istmt.objects = objectNamesToOids(stmt->objtype, stmt->objects); /* all_privs to be filled below */ /* privileges to be filled below */ istmt.col_privs = NIL; /* may get filled below */ istmt.grantees = NIL; /* filled below */ istmt.grant_option = stmt->grant_option; istmt.behavior = stmt->behavior; /* * Convert the PrivGrantee list into an Oid list. Note that at this point * we insert an ACL_ID_PUBLIC into the list if an empty role name is * detected (which is what the grammar uses if PUBLIC is found), so * downstream there shouldn't be any additional work needed to support * this case. */ foreach(cell, stmt->grantees) { PrivGrantee *grantee = (PrivGrantee *) lfirst(cell); if (grantee->rolname == NULL) istmt.grantees = lappend_oid(istmt.grantees, ACL_ID_PUBLIC); else istmt.grantees = lappend_oid(istmt.grantees, get_roleid_checked(grantee->rolname)); } /* * Convert stmt->privileges, a list of AccessPriv nodes, into an * AclMode bitmask. Note: objtype can't be ACL_OBJECT_COLUMN. */ switch (stmt->objtype) { /* * Because this might be a sequence, we test both relation and * sequence bits, and later do a more limited test when we know * the object type. */ case ACL_OBJECT_RELATION: all_privileges = ACL_ALL_RIGHTS_RELATION | ACL_ALL_RIGHTS_SEQUENCE; errormsg = gettext_noop("invalid privilege type %s for relation"); break; case ACL_OBJECT_SEQUENCE: all_privileges = ACL_ALL_RIGHTS_SEQUENCE; errormsg = gettext_noop("invalid privilege type %s for sequence"); break; case ACL_OBJECT_DATABASE: all_privileges = ACL_ALL_RIGHTS_DATABASE; errormsg = gettext_noop("invalid privilege type %s for database"); break; case ACL_OBJECT_FUNCTION: all_privileges = ACL_ALL_RIGHTS_FUNCTION; errormsg = gettext_noop("invalid privilege type %s for function"); break; case ACL_OBJECT_LANGUAGE: all_privileges = ACL_ALL_RIGHTS_LANGUAGE; errormsg = gettext_noop("invalid privilege type %s for language"); break; case ACL_OBJECT_NAMESPACE: all_privileges = ACL_ALL_RIGHTS_NAMESPACE; errormsg = gettext_noop("invalid privilege type %s for schema"); break; case ACL_OBJECT_TABLESPACE: all_privileges = ACL_ALL_RIGHTS_TABLESPACE; errormsg = gettext_noop("invalid privilege type %s for tablespace"); break; case ACL_OBJECT_FDW: all_privileges = ACL_ALL_RIGHTS_FDW; errormsg = gettext_noop("invalid privilege type %s for foreign-data wrapper"); break; case ACL_OBJECT_FOREIGN_SERVER: all_privileges = ACL_ALL_RIGHTS_FOREIGN_SERVER; errormsg = gettext_noop("invalid privilege type %s for foreign server"); break; default: /* keep compiler quiet */ all_privileges = ACL_NO_RIGHTS; errormsg = NULL; elog(ERROR, "unrecognized GrantStmt.objtype: %d", (int) stmt->objtype); } if (stmt->privileges == NIL) { istmt.all_privs = true; /* * will be turned into ACL_ALL_RIGHTS_* by the internal routines * depending on the object type */ istmt.privileges = ACL_NO_RIGHTS; } else { istmt.all_privs = false; istmt.privileges = ACL_NO_RIGHTS; foreach(cell, stmt->privileges) { AccessPriv *privnode = (AccessPriv *) lfirst(cell); AclMode priv; /* * If it's a column-level specification, we just set it aside * in col_privs for the moment; but insist it's for a relation. */ if (privnode->cols) { if (stmt->objtype != ACL_OBJECT_RELATION) ereport(ERROR, (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column privileges are only valid for relations"))); istmt.col_privs = lappend(istmt.col_privs, privnode); continue; } if (privnode->priv_name == NULL) /* parser mistake? */ elog(ERROR, "AccessPriv node must specify privilege or columns"); priv = string_to_privilege(privnode->priv_name); if (priv & ~((AclMode) all_privileges)) ereport(ERROR, (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg(errormsg, privilege_to_string(priv)))); istmt.privileges |= priv; } } ExecGrantStmt_oids(&istmt); } /* * ExecGrantStmt_oids * * "Internal" entrypoint for granting and revoking privileges. This is * exported for pg_shdepend.c to use in revoking privileges when dropping * a role. */ void ExecGrantStmt_oids(InternalGrant *istmt) { switch (istmt->objtype) { case ACL_OBJECT_RELATION: case ACL_OBJECT_SEQUENCE: ExecGrant_Relation(istmt); break; case ACL_OBJECT_DATABASE: ExecGrant_Database(istmt); break; case ACL_OBJECT_FDW: ExecGrant_Fdw(istmt); break; case ACL_OBJECT_FOREIGN_SERVER: ExecGrant_ForeignServer(istmt); break; case ACL_OBJECT_FUNCTION: ExecGrant_Function(istmt); break; case ACL_OBJECT_LANGUAGE: ExecGrant_Language(istmt); break; case ACL_OBJECT_NAMESPACE: ExecGrant_Namespace(istmt); break; case ACL_OBJECT_TABLESPACE: ExecGrant_Tablespace(istmt); break; default: elog(ERROR, "unrecognized GrantStmt.objtype: %d", (int) istmt->objtype); } } /* * objectNamesToOids * * Turn a list of object names of a given type into an Oid list. */ static List * objectNamesToOids(GrantObjectType objtype, List *objnames) { List *objects = NIL; ListCell *cell; Assert(objnames != NIL); switch (objtype) { case ACL_OBJECT_RELATION: case ACL_OBJECT_SEQUENCE: foreach(cell, objnames) { RangeVar *relvar = (RangeVar *) lfirst(cell); Oid relOid; relOid = RangeVarGetRelid(relvar, false); objects = lappend_oid(objects, relOid); } break; case ACL_OBJECT_DATABASE: foreach(cell, objnames) { char *dbname = strVal(lfirst(cell)); Oid dbid; dbid = get_database_oid(dbname); if (!OidIsValid(dbid)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_DATABASE), errmsg("database \"%s\" does not exist", dbname))); objects = lappend_oid(objects, dbid); } break; case ACL_OBJECT_FUNCTION: foreach(cell, objnames) { FuncWithArgs *func = (FuncWithArgs *) lfirst(cell); Oid funcid; funcid = LookupFuncNameTypeNames(func->funcname, func->funcargs, false); objects = lappend_oid(objects, funcid); } break; case ACL_OBJECT_LANGUAGE: foreach(cell, objnames) { char *langname = strVal(lfirst(cell)); HeapTuple tuple; tuple = SearchSysCache(LANGNAME, PointerGetDatum(langname), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("language \"%s\" does not exist", langname))); objects = lappend_oid(objects, HeapTupleGetOid(tuple)); ReleaseSysCache(tuple); } break; case ACL_OBJECT_NAMESPACE: foreach(cell, objnames) { char *nspname = strVal(lfirst(cell)); HeapTuple tuple; tuple = SearchSysCache(NAMESPACENAME, CStringGetDatum(nspname), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_SCHEMA), errmsg("schema \"%s\" does not exist", nspname))); objects = lappend_oid(objects, HeapTupleGetOid(tuple)); ReleaseSysCache(tuple); } break; case ACL_OBJECT_TABLESPACE: foreach(cell, objnames) { char *spcname = strVal(lfirst(cell)); ScanKeyData entry[1]; HeapScanDesc scan; HeapTuple tuple; Relation relation; relation = heap_open(TableSpaceRelationId, AccessShareLock); ScanKeyInit(&entry[0], Anum_pg_tablespace_spcname, BTEqualStrategyNumber, F_NAMEEQ, CStringGetDatum(spcname)); scan = heap_beginscan(relation, SnapshotNow, 1, entry); tuple = heap_getnext(scan, ForwardScanDirection); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("tablespace \"%s\" does not exist", spcname))); objects = lappend_oid(objects, HeapTupleGetOid(tuple)); heap_endscan(scan); heap_close(relation, AccessShareLock); } break; case ACL_OBJECT_FDW: foreach(cell, objnames) { char *fdwname = strVal(lfirst(cell)); Oid fdwid = GetForeignDataWrapperOidByName(fdwname, false); objects = lappend_oid(objects, fdwid); } break; case ACL_OBJECT_FOREIGN_SERVER: foreach(cell, objnames) { char *srvname = strVal(lfirst(cell)); Oid srvid = GetForeignServerOidByName(srvname, false); objects = lappend_oid(objects, srvid); } break; default: elog(ERROR, "unrecognized GrantStmt.objtype: %d", (int) objtype); } return objects; } /* * expand_col_privileges * * OR the specified privilege(s) into per-column array entries for each * specified attribute. The per-column array is indexed starting at * FirstLowInvalidHeapAttributeNumber, up to relation's last attribute. */ static void expand_col_privileges(List *colnames, Oid table_oid, AclMode this_privileges, AclMode *col_privileges, int num_col_privileges) { ListCell *cell; foreach(cell, colnames) { char *colname = strVal(lfirst(cell)); AttrNumber attnum; attnum = get_attnum(table_oid, colname); if (attnum == InvalidAttrNumber) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_COLUMN), errmsg("column \"%s\" of relation \"%s\" does not exist", colname, get_rel_name(table_oid)))); attnum -= FirstLowInvalidHeapAttributeNumber; if (attnum <= 0 || attnum >= num_col_privileges) elog(ERROR, "column number out of range"); /* safety check */ col_privileges[attnum] |= this_privileges; } } /* * expand_all_col_privileges * * OR the specified privilege(s) into per-column array entries for each valid * attribute of a relation. The per-column array is indexed starting at * FirstLowInvalidHeapAttributeNumber, up to relation's last attribute. */ static void expand_all_col_privileges(Oid table_oid, Form_pg_class classForm, AclMode this_privileges, AclMode *col_privileges, int num_col_privileges) { AttrNumber curr_att; Assert(classForm->relnatts - FirstLowInvalidHeapAttributeNumber < num_col_privileges); for (curr_att = FirstLowInvalidHeapAttributeNumber + 1; curr_att <= classForm->relnatts; curr_att++) { HeapTuple attTuple; bool isdropped; if (curr_att == InvalidAttrNumber) continue; /* Skip OID column if it doesn't exist */ if (curr_att == ObjectIdAttributeNumber && !classForm->relhasoids) continue; /* Views don't have any system columns at all */ if (classForm->relkind == RELKIND_VIEW && curr_att < 0) continue; attTuple = SearchSysCache(ATTNUM, ObjectIdGetDatum(table_oid), Int16GetDatum(curr_att), 0, 0); if (!HeapTupleIsValid(attTuple)) elog(ERROR, "cache lookup failed for attribute %d of relation %u", curr_att, table_oid); isdropped = ((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped; ReleaseSysCache(attTuple); /* ignore dropped columns */ if (isdropped) continue; col_privileges[curr_att - FirstLowInvalidHeapAttributeNumber] |= this_privileges; } } /* * This processes attributes, but expects to be called from * ExecGrant_Relation, not directly from ExecGrantStmt. */ static void ExecGrant_Attribute(InternalGrant *istmt, Oid relOid, const char *relname, AttrNumber attnum, Oid ownerId, AclMode col_privileges, Relation attRelation, const Acl *old_rel_acl) { HeapTuple attr_tuple; Form_pg_attribute pg_attribute_tuple; Acl *old_acl; Acl *new_acl; Acl *merged_acl; Datum aclDatum; bool isNull; Oid grantorId; AclMode avail_goptions; bool need_update; HeapTuple newtuple; Datum values[Natts_pg_attribute]; bool nulls[Natts_pg_attribute]; bool replaces[Natts_pg_attribute]; int noldmembers; int nnewmembers; Oid *oldmembers; Oid *newmembers; attr_tuple = SearchSysCache(ATTNUM, ObjectIdGetDatum(relOid), Int16GetDatum(attnum), 0, 0); if (!HeapTupleIsValid(attr_tuple)) elog(ERROR, "cache lookup failed for attribute %d of relation %u", attnum, relOid); pg_attribute_tuple = (Form_pg_attribute) GETSTRUCT(attr_tuple); /* * Get working copy of existing ACL. If there's no ACL, * substitute the proper default. */ aclDatum = SysCacheGetAttr(ATTNUM, attr_tuple, Anum_pg_attribute_attacl, &isNull); if (isNull) old_acl = acldefault(ACL_OBJECT_COLUMN, ownerId); else old_acl = DatumGetAclPCopy(aclDatum); /* * In select_best_grantor we should consider existing table-level ACL bits * as well as the per-column ACL. Build a new ACL that is their * concatenation. (This is a bit cheap and dirty compared to merging * them properly with no duplications, but it's all we need here.) */ merged_acl = aclconcat(old_rel_acl, old_acl); /* Determine ID to do the grant as, and available grant options */ select_best_grantor(GetUserId(), col_privileges, merged_acl, ownerId, &grantorId, &avail_goptions); pfree(merged_acl); /* * Restrict the privileges to what we can actually grant, and emit * the standards-mandated warning and error messages. Note: we don't * track whether the user actually used the ALL PRIVILEGES(columns) * syntax for each column; we just approximate it by whether all the * possible privileges are specified now. Since the all_privs flag only * determines whether a warning is issued, this seems close enough. */ col_privileges = restrict_and_check_grant(istmt->is_grant, avail_goptions, (col_privileges == ACL_ALL_RIGHTS_COLUMN), col_privileges, relOid, grantorId, ACL_KIND_COLUMN, relname, attnum, NameStr(pg_attribute_tuple->attname)); /* * Generate new ACL. * * We need the members of both old and new ACLs so we can correct * the shared dependency information. */ noldmembers = aclmembers(old_acl, &oldmembers); new_acl = merge_acl_with_grant(old_acl, istmt->is_grant, istmt->grant_option, istmt->behavior, istmt->grantees, col_privileges, grantorId, ownerId); nnewmembers = aclmembers(new_acl, &newmembers); /* finished building new ACL value, now insert it */ MemSet(values, 0, sizeof(values)); MemSet(nulls, false, sizeof(nulls)); MemSet(replaces, false, sizeof(replaces)); /* * If the updated ACL is empty, we can set attacl to null, and maybe * even avoid an update of the pg_attribute row. This is worth testing * because we'll come through here multiple times for any relation-level * REVOKE, even if there were never any column GRANTs. Note we are * assuming that the "default" ACL state for columns is empty. */ if (ACL_NUM(new_acl) > 0) { values[Anum_pg_attribute_attacl - 1] = PointerGetDatum(new_acl); need_update = true; } else { nulls[Anum_pg_attribute_attacl - 1] = true; need_update = !isNull; } replaces[Anum_pg_attribute_attacl - 1] = true; if (need_update) { newtuple = heap_modify_tuple(attr_tuple, RelationGetDescr(attRelation), values, nulls, replaces); simple_heap_update(attRelation, &newtuple->t_self, newtuple); /* keep the catalog indexes up to date */ CatalogUpdateIndexes(attRelation, newtuple); /* Update the shared dependency ACL info */ updateAclDependencies(RelationRelationId, relOid, attnum, ownerId, istmt->is_grant, noldmembers, oldmembers, nnewmembers, newmembers); } pfree(new_acl); ReleaseSysCache(attr_tuple); } /* * This processes both sequences and non-sequences. */ static void ExecGrant_Relation(InternalGrant *istmt) { Relation relation; Relation attRelation; ListCell *cell; relation = heap_open(RelationRelationId, RowExclusiveLock); attRelation = heap_open(AttributeRelationId, RowExclusiveLock); foreach(cell, istmt->objects) { Oid relOid = lfirst_oid(cell); Datum aclDatum; Form_pg_class pg_class_tuple; bool isNull; AclMode this_privileges; AclMode *col_privileges; int num_col_privileges; bool have_col_privileges; Acl *old_acl; Acl *old_rel_acl; Oid ownerId; HeapTuple tuple; ListCell *cell_colprivs; tuple = SearchSysCache(RELOID, ObjectIdGetDatum(relOid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) elog(ERROR, "cache lookup failed for relation %u", relOid); pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple); /* Not sensible to grant on an index */ if (pg_class_tuple->relkind == RELKIND_INDEX) ereport(ERROR, (errcode(ERRCODE_WRONG_OBJECT_TYPE), errmsg("\"%s\" is an index", NameStr(pg_class_tuple->relname)))); /* Composite types aren't tables either */ if (pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE) ereport(ERROR, (errcode(ERRCODE_WRONG_OBJECT_TYPE), errmsg("\"%s\" is a composite type", NameStr(pg_class_tuple->relname)))); /* Used GRANT SEQUENCE on a non-sequence? */ if (istmt->objtype == ACL_OBJECT_SEQUENCE && pg_class_tuple->relkind != RELKIND_SEQUENCE) ereport(ERROR, (errcode(ERRCODE_WRONG_OBJECT_TYPE), errmsg("\"%s\" is not a sequence", NameStr(pg_class_tuple->relname)))); /* Adjust the default permissions based on whether it is a sequence */ if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS) { if (pg_class_tuple->relkind == RELKIND_SEQUENCE) this_privileges = ACL_ALL_RIGHTS_SEQUENCE; else this_privileges = ACL_ALL_RIGHTS_RELATION; } else this_privileges = istmt->privileges; /* * The GRANT TABLE syntax can be used for sequences and non-sequences, * so we have to look at the relkind to determine the supported * permissions. The OR of table and sequence permissions were already * checked. */ if (istmt->objtype == ACL_OBJECT_RELATION) { if (pg_class_tuple->relkind == RELKIND_SEQUENCE) { /* * For backward compatibility, just throw a warning for * invalid sequence permissions when using the non-sequence * GRANT syntax. */ if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_SEQUENCE)) { /* * Mention the object name because the user needs to know * which operations succeeded. This is required because * WARNING allows the command to continue. */ ereport(WARNING, (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("sequence \"%s\" only supports USAGE, SELECT, and UPDATE privileges", NameStr(pg_class_tuple->relname)))); this_privileges &= (AclMode) ACL_ALL_RIGHTS_SEQUENCE; } } else { if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_RELATION)) { /* * USAGE is the only permission supported by sequences but * not by non-sequences. Don't mention the object name * because we didn't in the combined TABLE | SEQUENCE * check. */ ereport(ERROR, (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("invalid privilege type USAGE for table"))); } } } /* * Set up array in which we'll accumulate any column privilege bits * that need modification. The array is indexed such that entry [0] * corresponds to FirstLowInvalidHeapAttributeNumber. */ num_col_privileges = pg_class_tuple->relnatts - FirstLowInvalidHeapAttributeNumber + 1; col_privileges = (AclMode *) palloc0(num_col_privileges * sizeof(AclMode)); have_col_privileges = false; /* * If we are revoking relation privileges that are also column * privileges, we must implicitly revoke them from each column too, * per SQL spec. (We don't need to implicitly add column privileges * during GRANT because the permissions-checking code always checks * both relation and per-column privileges.) */ if (!istmt->is_grant && (this_privileges & ACL_ALL_RIGHTS_COLUMN) != 0) { expand_all_col_privileges(relOid, pg_class_tuple, this_privileges & ACL_ALL_RIGHTS_COLUMN, col_privileges, num_col_privileges); have_col_privileges = true; } /* * Get owner ID and working copy of existing ACL. If there's no ACL, * substitute the proper default. */ ownerId = pg_class_tuple->relowner; aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl, &isNull); if (isNull) old_acl = acldefault(pg_class_tuple->relkind == RELKIND_SEQUENCE ? ACL_OBJECT_SEQUENCE : ACL_OBJECT_RELATION, ownerId); else old_acl = DatumGetAclPCopy(aclDatum); /* Need an extra copy of original rel ACL for column handling */ old_rel_acl = aclcopy(old_acl); /* * Handle relation-level privileges, if any were specified */ if (this_privileges != ACL_NO_RIGHTS) { AclMode avail_goptions; Acl *new_acl; Oid grantorId; HeapTuple newtuple; Datum values[Natts_pg_class]; bool nulls[Natts_pg_class]; bool replaces[Natts_pg_class]; int noldmembers; int nnewmembers; Oid *oldmembers; Oid *newmembers; /* Determine ID to do the grant as, and available grant options */ select_best_grantor(GetUserId(), this_privileges, old_acl, ownerId, &grantorId, &avail_goptions); /* * Restrict the privileges to what we can actually grant, and emit * the standards-mandated warning and error messages. */ this_privileges = restrict_and_check_grant(istmt->is_grant, avail_goptions, istmt->all_privs, this_privileges, relOid, grantorId, pg_class_tuple->relkind == RELKIND_SEQUENCE ? ACL_KIND_SEQUENCE : ACL_KIND_CLASS, NameStr(pg_class_tuple->relname), 0, NULL); /* * Generate new ACL. * * We need the members of both old and new ACLs so we can correct * the shared dependency information. */ noldmembers = aclmembers(old_acl, &oldmembers); new_acl = merge_acl_with_grant(old_acl, istmt->is_grant, istmt->grant_option, istmt->behavior, istmt->grantees, this_privileges, grantorId, ownerId); nnewmembers = aclmembers(new_acl, &newmembers); /* finished building new ACL value, now insert it */ MemSet(values, 0, sizeof(values)); MemSet(nulls, false, sizeof(nulls)); MemSet(replaces, false, sizeof(replaces)); replaces[Anum_pg_class_relacl - 1] = true; values[Anum_pg_class_relacl - 1] = PointerGetDatum(new_acl); newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values, nulls, replaces); simple_heap_update(relation, &newtuple->t_self, newtuple); /* keep the catalog indexes up to date */ CatalogUpdateIndexes(relation, newtuple); /* Update the shared dependency ACL info */ updateAclDependencies(RelationRelationId, relOid, 0, ownerId, istmt->is_grant, noldmembers, oldmembers, nnewmembers, newmembers); pfree(new_acl); } /* * Handle column-level privileges, if any were specified or implied. * We first expand the user-specified column privileges into the * array, and then iterate over all nonempty array entries. */ foreach(cell_colprivs, istmt->col_privs) { AccessPriv *col_privs = (AccessPriv *) lfirst(cell_colprivs); if (col_privs->priv_name == NULL) this_privileges = ACL_ALL_RIGHTS_COLUMN; else this_privileges = string_to_privilege(col_privs->priv_name); if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_COLUMN)) ereport(ERROR, (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("invalid privilege type %s for column", privilege_to_string(this_privileges)))); if (pg_class_tuple->relkind == RELKIND_SEQUENCE && this_privileges & ~((AclMode) ACL_SELECT)) { /* * The only column privilege allowed on sequences is SELECT. * This is a warning not error because we do it that way * for relation-level privileges. */ ereport(WARNING, (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("sequence \"%s\" only supports SELECT column privileges", NameStr(pg_class_tuple->relname)))); this_privileges &= (AclMode) ACL_SELECT; } expand_col_privileges(col_privs->cols, relOid, this_privileges, col_privileges, num_col_privileges); have_col_privileges = true; } if (have_col_privileges) { AttrNumber i; for (i = 0; i < num_col_privileges; i++) { if (col_privileges[i] == ACL_NO_RIGHTS) continue; ExecGrant_Attribute(istmt, relOid, NameStr(pg_class_tuple->relname), i + FirstLowInvalidHeapAttributeNumber, ownerId, col_privileges[i], attRelation, old_rel_acl); } } pfree(old_rel_acl); pfree(col_privileges); ReleaseSysCache(tuple); /* prevent error when processing duplicate objects */ CommandCounterIncrement(); } heap_close(attRelation, RowExclusiveLock); heap_close(relation, RowExclusiveLock); } static void ExecGrant_Database(InternalGrant *istmt) { Relation relation; ListCell *cell; if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS) istmt->privileges = ACL_ALL_RIGHTS_DATABASE; relation = heap_open(DatabaseRelationId, RowExclusiveLock); foreach(cell, istmt->objects) { Oid datId = lfirst_oid(cell); Form_pg_database pg_database_tuple; Datum aclDatum; bool isNull; AclMode avail_goptions; AclMode this_privileges; Acl *old_acl; Acl *new_acl; Oid grantorId; Oid ownerId; HeapTuple newtuple; Datum values[Natts_pg_database]; bool nulls[Natts_pg_database]; bool replaces[Natts_pg_database]; int noldmembers; int nnewmembers; Oid *oldmembers; Oid *newmembers; HeapTuple tuple; tuple = SearchSysCache(DATABASEOID, ObjectIdGetDatum(datId), 0, 0, 0); if (!HeapTupleIsValid(tuple)) elog(ERROR, "cache lookup failed for database %u", datId); pg_database_tuple = (Form_pg_database) GETSTRUCT(tuple); /* * Get owner ID and working copy of existing ACL. If there's no ACL, * substitute the proper default. */ ownerId = pg_database_tuple->datdba; aclDatum = heap_getattr(tuple, Anum_pg_database_datacl, RelationGetDescr(relation), &isNull); if (isNull) old_acl = acldefault(ACL_OBJECT_DATABASE, ownerId); else old_acl = DatumGetAclPCopy(aclDatum); /* Determine ID to do the grant as, and available grant options */ select_best_grantor(GetUserId(), istmt->privileges, old_acl, ownerId, &grantorId, &avail_goptions); /* * Restrict the privileges to what we can actually grant, and emit the * standards-mandated warning and error messages. */ this_privileges = restrict_and_check_grant(istmt->is_grant, avail_goptions, istmt->all_privs, istmt->privileges, datId, grantorId, ACL_KIND_DATABASE, NameStr(pg_database_tuple->datname), 0, NULL); /* * Generate new ACL. * * We need the members of both old and new ACLs so we can correct the * shared dependency information. */ noldmembers = aclmembers(old_acl, &oldmembers); new_acl = merge_acl_with_grant(old_acl, istmt->is_grant, istmt->grant_option, istmt->behavior, istmt->grantees, this_privileges, grantorId, ownerId); nnewmembers = aclmembers(new_acl, &newmembers); /* finished building new ACL value, now insert it */ MemSet(values, 0, sizeof(values)); MemSet(nulls, false, sizeof(nulls)); MemSet(replaces, false, sizeof(replaces)); replaces[Anum_pg_database_datacl - 1] = true; values[Anum_pg_database_datacl - 1] = PointerGetDatum(new_acl); newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values, nulls, replaces); simple_heap_update(relation, &newtuple->t_self, newtuple); /* keep the catalog indexes up to date */ CatalogUpdateIndexes(relation, newtuple); /* Update the shared dependency ACL info */ updateAclDependencies(DatabaseRelationId, HeapTupleGetOid(tuple), 0, ownerId, istmt->is_grant, noldmembers, oldmembers, nnewmembers, newmembers); ReleaseSysCache(tuple); pfree(new_acl); /* prevent error when processing duplicate objects */ CommandCounterIncrement(); } heap_close(relation, RowExclusiveLock); } static void ExecGrant_Fdw(InternalGrant *istmt) { Relation relation; ListCell *cell; if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS) istmt->privileges = ACL_ALL_RIGHTS_FDW; relation = heap_open(ForeignDataWrapperRelationId, RowExclusiveLock); foreach(cell, istmt->objects) { Oid fdwid = lfirst_oid(cell); Form_pg_foreign_data_wrapper pg_fdw_tuple; Datum aclDatum; bool isNull; AclMode avail_goptions; AclMode this_privileges; Acl *old_acl; Acl *new_acl; Oid grantorId; Oid ownerId; HeapTuple tuple; HeapTuple newtuple; Datum values[Natts_pg_foreign_data_wrapper]; bool nulls[Natts_pg_foreign_data_wrapper]; bool replaces[Natts_pg_foreign_data_wrapper]; int noldmembers; int nnewmembers; Oid *oldmembers; Oid *newmembers; tuple = SearchSysCache(FOREIGNDATAWRAPPEROID, ObjectIdGetDatum(fdwid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) elog(ERROR, "cache lookup failed for foreign-data wrapper %u", fdwid); pg_fdw_tuple = (Form_pg_foreign_data_wrapper) GETSTRUCT(tuple); /* * Get owner ID and working copy of existing ACL. If there's no ACL, * substitute the proper default. */ ownerId = pg_fdw_tuple->fdwowner; aclDatum = SysCacheGetAttr(FOREIGNDATAWRAPPEROID, tuple, Anum_pg_foreign_data_wrapper_fdwacl, &isNull); if (isNull) old_acl = acldefault(ACL_OBJECT_FDW, ownerId); else old_acl = DatumGetAclPCopy(aclDatum); /* Determine ID to do the grant as, and available grant options */ select_best_grantor(GetUserId(), istmt->privileges, old_acl, ownerId, &grantorId, &avail_goptions); /* * Restrict the privileges to what we can actually grant, and emit the * standards-mandated warning and error messages. */ this_privileges = restrict_and_check_grant(istmt->is_grant, avail_goptions, istmt->all_privs, istmt->privileges, fdwid, grantorId, ACL_KIND_FDW, NameStr(pg_fdw_tuple->fdwname), 0, NULL); /* * Generate new ACL. * * We need the members of both old and new ACLs so we can correct the * shared dependency information. */ noldmembers = aclmembers(old_acl, &oldmembers); new_acl = merge_acl_with_grant(old_acl, istmt->is_grant, istmt->grant_option, istmt->behavior, istmt->grantees, this_privileges, grantorId, ownerId); nnewmembers = aclmembers(new_acl, &newmembers); /* finished building new ACL value, now insert it */ MemSet(values, 0, sizeof(values)); MemSet(nulls, false, sizeof(nulls)); MemSet(replaces, false, sizeof(replaces)); replaces[Anum_pg_foreign_data_wrapper_fdwacl - 1] = true; values[Anum_pg_foreign_data_wrapper_fdwacl - 1] = PointerGetDatum(new_acl); newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values, nulls, replaces); simple_heap_update(relation, &newtuple->t_self, newtuple); /* keep the catalog indexes up to date */ CatalogUpdateIndexes(relation, newtuple); /* Update the shared dependency ACL info */ updateAclDependencies(ForeignDataWrapperRelationId, HeapTupleGetOid(tuple), 0, ownerId, istmt->is_grant, noldmembers, oldmembers, nnewmembers, newmembers); ReleaseSysCache(tuple); pfree(new_acl); /* prevent error when processing duplicate objects */ CommandCounterIncrement(); } heap_close(relation, RowExclusiveLock); } static void ExecGrant_ForeignServer(InternalGrant *istmt) { Relation relation; ListCell *cell; if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS) istmt->privileges = ACL_ALL_RIGHTS_FOREIGN_SERVER; relation = heap_open(ForeignServerRelationId, RowExclusiveLock); foreach(cell, istmt->objects) { Oid srvid = lfirst_oid(cell); Form_pg_foreign_server pg_server_tuple; Datum aclDatum; bool isNull; AclMode avail_goptions; AclMode this_privileges; Acl *old_acl; Acl *new_acl; Oid grantorId; Oid ownerId; HeapTuple tuple; HeapTuple newtuple; Datum values[Natts_pg_foreign_server]; bool nulls[Natts_pg_foreign_server]; bool replaces[Natts_pg_foreign_server]; int noldmembers; int nnewmembers; Oid *oldmembers; Oid *newmembers; tuple = SearchSysCache(FOREIGNSERVEROID, ObjectIdGetDatum(srvid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) elog(ERROR, "cache lookup failed for foreign server %u", srvid); pg_server_tuple = (Form_pg_foreign_server) GETSTRUCT(tuple); /* * Get owner ID and working copy of existing ACL. If there's no ACL, * substitute the proper default. */ ownerId = pg_server_tuple->srvowner; aclDatum = SysCacheGetAttr(FOREIGNSERVEROID, tuple, Anum_pg_foreign_server_srvacl, &isNull); if (isNull) old_acl = acldefault(ACL_OBJECT_FOREIGN_SERVER, ownerId); else old_acl = DatumGetAclPCopy(aclDatum); /* Determine ID to do the grant as, and available grant options */ select_best_grantor(GetUserId(), istmt->privileges, old_acl, ownerId, &grantorId, &avail_goptions); /* * Restrict the privileges to what we can actually grant, and emit the * standards-mandated warning and error messages. */ this_privileges = restrict_and_check_grant(istmt->is_grant, avail_goptions, istmt->all_privs, istmt->privileges, srvid, grantorId, ACL_KIND_FOREIGN_SERVER, NameStr(pg_server_tuple->srvname), 0, NULL); /* * Generate new ACL. * * We need the members of both old and new ACLs so we can correct the * shared dependency information. */ noldmembers = aclmembers(old_acl, &oldmembers); new_acl = merge_acl_with_grant(old_acl, istmt->is_grant, istmt->grant_option, istmt->behavior, istmt->grantees, this_privileges, grantorId, ownerId); nnewmembers = aclmembers(new_acl, &newmembers); /* finished building new ACL value, now insert it */ MemSet(values, 0, sizeof(values)); MemSet(nulls, false, sizeof(nulls)); MemSet(replaces, false, sizeof(replaces)); replaces[Anum_pg_foreign_server_srvacl - 1] = true; values[Anum_pg_foreign_server_srvacl - 1] = PointerGetDatum(new_acl); newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values, nulls, replaces); simple_heap_update(relation, &newtuple->t_self, newtuple); /* keep the catalog indexes up to date */ CatalogUpdateIndexes(relation, newtuple); /* Update the shared dependency ACL info */ updateAclDependencies(ForeignServerRelationId, HeapTupleGetOid(tuple), 0, ownerId, istmt->is_grant, noldmembers, oldmembers, nnewmembers, newmembers); ReleaseSysCache(tuple); pfree(new_acl); /* prevent error when processing duplicate objects */ CommandCounterIncrement(); } heap_close(relation, RowExclusiveLock); } static void ExecGrant_Function(InternalGrant *istmt) { Relation relation; ListCell *cell; if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS) istmt->privileges = ACL_ALL_RIGHTS_FUNCTION; relation = heap_open(ProcedureRelationId, RowExclusiveLock); foreach(cell, istmt->objects) { Oid funcId = lfirst_oid(cell); Form_pg_proc pg_proc_tuple; Datum aclDatum; bool isNull; AclMode avail_goptions; AclMode this_privileges; Acl *old_acl; Acl *new_acl; Oid grantorId; Oid ownerId; HeapTuple tuple; HeapTuple newtuple; Datum values[Natts_pg_proc]; bool nulls[Natts_pg_proc]; bool replaces[Natts_pg_proc]; int noldmembers; int nnewmembers; Oid *oldmembers; Oid *newmembers; tuple = SearchSysCache(PROCOID, ObjectIdGetDatum(funcId), 0, 0, 0); if (!HeapTupleIsValid(tuple)) elog(ERROR, "cache lookup failed for function %u", funcId); pg_proc_tuple = (Form_pg_proc) GETSTRUCT(tuple); /* * Get owner ID and working copy of existing ACL. If there's no ACL, * substitute the proper default. */ ownerId = pg_proc_tuple->proowner; aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl, &isNull); if (isNull) old_acl = acldefault(ACL_OBJECT_FUNCTION, ownerId); else old_acl = DatumGetAclPCopy(aclDatum); /* Determine ID to do the grant as, and available grant options */ select_best_grantor(GetUserId(), istmt->privileges, old_acl, ownerId, &grantorId, &avail_goptions); /* * Restrict the privileges to what we can actually grant, and emit the * standards-mandated warning and error messages. */ this_privileges = restrict_and_check_grant(istmt->is_grant, avail_goptions, istmt->all_privs, istmt->privileges, funcId, grantorId, ACL_KIND_PROC, NameStr(pg_proc_tuple->proname), 0, NULL); /* * Generate new ACL. * * We need the members of both old and new ACLs so we can correct the * shared dependency information. */ noldmembers = aclmembers(old_acl, &oldmembers); new_acl = merge_acl_with_grant(old_acl, istmt->is_grant, istmt->grant_option, istmt->behavior, istmt->grantees, this_privileges, grantorId, ownerId); nnewmembers = aclmembers(new_acl, &newmembers); /* finished building new ACL value, now insert it */ MemSet(values, 0, sizeof(values)); MemSet(nulls, false, sizeof(nulls)); MemSet(replaces, false, sizeof(replaces)); replaces[Anum_pg_proc_proacl - 1] = true; values[Anum_pg_proc_proacl - 1] = PointerGetDatum(new_acl); newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values, nulls, replaces); simple_heap_update(relation, &newtuple->t_self, newtuple); /* keep the catalog indexes up to date */ CatalogUpdateIndexes(relation, newtuple); /* Update the shared dependency ACL info */ updateAclDependencies(ProcedureRelationId, funcId, 0, ownerId, istmt->is_grant, noldmembers, oldmembers, nnewmembers, newmembers); ReleaseSysCache(tuple); pfree(new_acl); /* prevent error when processing duplicate objects */ CommandCounterIncrement(); } heap_close(relation, RowExclusiveLock); } static void ExecGrant_Language(InternalGrant *istmt) { Relation relation; ListCell *cell; if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS) istmt->privileges = ACL_ALL_RIGHTS_LANGUAGE; relation = heap_open(LanguageRelationId, RowExclusiveLock); foreach(cell, istmt->objects) { Oid langId = lfirst_oid(cell); Form_pg_language pg_language_tuple; Datum aclDatum; bool isNull; AclMode avail_goptions; AclMode this_privileges; Acl *old_acl; Acl *new_acl; Oid grantorId; Oid ownerId; HeapTuple tuple; HeapTuple newtuple; Datum values[Natts_pg_language]; bool nulls[Natts_pg_language]; bool replaces[Natts_pg_language]; int noldmembers; int nnewmembers; Oid *oldmembers; Oid *newmembers; tuple = SearchSysCache(LANGOID, ObjectIdGetDatum(langId), 0, 0, 0); if (!HeapTupleIsValid(tuple)) elog(ERROR, "cache lookup failed for language %u", langId); pg_language_tuple = (Form_pg_language) GETSTRUCT(tuple); if (!pg_language_tuple->lanpltrusted) ereport(ERROR, (errcode(ERRCODE_WRONG_OBJECT_TYPE), errmsg("language \"%s\" is not trusted", NameStr(pg_language_tuple->lanname)), errhint("Only superusers can use untrusted languages."))); /* * Get owner ID and working copy of existing ACL. If there's no ACL, * substitute the proper default. */ ownerId = pg_language_tuple->lanowner; aclDatum = SysCacheGetAttr(LANGNAME, tuple, Anum_pg_language_lanacl, &isNull); if (isNull) old_acl = acldefault(ACL_OBJECT_LANGUAGE, ownerId); else old_acl = DatumGetAclPCopy(aclDatum); /* Determine ID to do the grant as, and available grant options */ select_best_grantor(GetUserId(), istmt->privileges, old_acl, ownerId, &grantorId, &avail_goptions); /* * Restrict the privileges to what we can actually grant, and emit the * standards-mandated warning and error messages. */ this_privileges = restrict_and_check_grant(istmt->is_grant, avail_goptions, istmt->all_privs, istmt->privileges, langId, grantorId, ACL_KIND_LANGUAGE, NameStr(pg_language_tuple->lanname), 0, NULL); /* * Generate new ACL. * * We need the members of both old and new ACLs so we can correct the * shared dependency information. */ noldmembers = aclmembers(old_acl, &oldmembers); new_acl = merge_acl_with_grant(old_acl, istmt->is_grant, istmt->grant_option, istmt->behavior, istmt->grantees, this_privileges, grantorId, ownerId); nnewmembers = aclmembers(new_acl, &newmembers); /* finished building new ACL value, now insert it */ MemSet(values, 0, sizeof(values)); MemSet(nulls, false, sizeof(nulls)); MemSet(replaces, false, sizeof(replaces)); replaces[Anum_pg_language_lanacl - 1] = true; values[Anum_pg_language_lanacl - 1] = PointerGetDatum(new_acl); newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values, nulls, replaces); simple_heap_update(relation, &newtuple->t_self, newtuple); /* keep the catalog indexes up to date */ CatalogUpdateIndexes(relation, newtuple); /* Update the shared dependency ACL info */ updateAclDependencies(LanguageRelationId, HeapTupleGetOid(tuple), 0, ownerId, istmt->is_grant, noldmembers, oldmembers, nnewmembers, newmembers); ReleaseSysCache(tuple); pfree(new_acl); /* prevent error when processing duplicate objects */ CommandCounterIncrement(); } heap_close(relation, RowExclusiveLock); } static void ExecGrant_Namespace(InternalGrant *istmt) { Relation relation; ListCell *cell; if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS) istmt->privileges = ACL_ALL_RIGHTS_NAMESPACE; relation = heap_open(NamespaceRelationId, RowExclusiveLock); foreach(cell, istmt->objects) { Oid nspid = lfirst_oid(cell); Form_pg_namespace pg_namespace_tuple; Datum aclDatum; bool isNull; AclMode avail_goptions; AclMode this_privileges; Acl *old_acl; Acl *new_acl; Oid grantorId; Oid ownerId; HeapTuple tuple; HeapTuple newtuple; Datum values[Natts_pg_namespace]; bool nulls[Natts_pg_namespace]; bool replaces[Natts_pg_namespace]; int noldmembers; int nnewmembers; Oid *oldmembers; Oid *newmembers; tuple = SearchSysCache(NAMESPACEOID, ObjectIdGetDatum(nspid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) elog(ERROR, "cache lookup failed for namespace %u", nspid); pg_namespace_tuple = (Form_pg_namespace) GETSTRUCT(tuple); /* * Get owner ID and working copy of existing ACL. If there's no ACL, * substitute the proper default. */ ownerId = pg_namespace_tuple->nspowner; aclDatum = SysCacheGetAttr(NAMESPACENAME, tuple, Anum_pg_namespace_nspacl, &isNull); if (isNull) old_acl = acldefault(ACL_OBJECT_NAMESPACE, ownerId); else old_acl = DatumGetAclPCopy(aclDatum); /* Determine ID to do the grant as, and available grant options */ select_best_grantor(GetUserId(), istmt->privileges, old_acl, ownerId, &grantorId, &avail_goptions); /* * Restrict the privileges to what we can actually grant, and emit the * standards-mandated warning and error messages. */ this_privileges = restrict_and_check_grant(istmt->is_grant, avail_goptions, istmt->all_privs, istmt->privileges, nspid, grantorId, ACL_KIND_NAMESPACE, NameStr(pg_namespace_tuple->nspname), 0, NULL); /* * Generate new ACL. * * We need the members of both old and new ACLs so we can correct the * shared dependency information. */ noldmembers = aclmembers(old_acl, &oldmembers); new_acl = merge_acl_with_grant(old_acl, istmt->is_grant, istmt->grant_option, istmt->behavior, istmt->grantees, this_privileges, grantorId, ownerId); nnewmembers = aclmembers(new_acl, &newmembers); /* finished building new ACL value, now insert it */ MemSet(values, 0, sizeof(values)); MemSet(nulls, false, sizeof(nulls)); MemSet(replaces, false, sizeof(replaces)); replaces[Anum_pg_namespace_nspacl - 1] = true; values[Anum_pg_namespace_nspacl - 1] = PointerGetDatum(new_acl); newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values, nulls, replaces); simple_heap_update(relation, &newtuple->t_self, newtuple); /* keep the catalog indexes up to date */ CatalogUpdateIndexes(relation, newtuple); /* Update the shared dependency ACL info */ updateAclDependencies(NamespaceRelationId, HeapTupleGetOid(tuple), 0, ownerId, istmt->is_grant, noldmembers, oldmembers, nnewmembers, newmembers); ReleaseSysCache(tuple); pfree(new_acl); /* prevent error when processing duplicate objects */ CommandCounterIncrement(); } heap_close(relation, RowExclusiveLock); } static void ExecGrant_Tablespace(InternalGrant *istmt) { Relation relation; ListCell *cell; if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS) istmt->privileges = ACL_ALL_RIGHTS_TABLESPACE; relation = heap_open(TableSpaceRelationId, RowExclusiveLock); foreach(cell, istmt->objects) { Oid tblId = lfirst_oid(cell); Form_pg_tablespace pg_tablespace_tuple; Datum aclDatum; bool isNull; AclMode avail_goptions; AclMode this_privileges; Acl *old_acl; Acl *new_acl; Oid grantorId; Oid ownerId; HeapTuple newtuple; Datum values[Natts_pg_tablespace]; bool nulls[Natts_pg_tablespace]; bool replaces[Natts_pg_tablespace]; int noldmembers; int nnewmembers; Oid *oldmembers; Oid *newmembers; ScanKeyData entry[1]; SysScanDesc scan; HeapTuple tuple; /* There's no syscache for pg_tablespace, so must look the hard way */ ScanKeyInit(&entry[0], ObjectIdAttributeNumber, BTEqualStrategyNumber, F_OIDEQ, ObjectIdGetDatum(tblId)); scan = systable_beginscan(relation, TablespaceOidIndexId, true, SnapshotNow, 1, entry); tuple = systable_getnext(scan); if (!HeapTupleIsValid(tuple)) elog(ERROR, "cache lookup failed for tablespace %u", tblId); pg_tablespace_tuple = (Form_pg_tablespace) GETSTRUCT(tuple); /* * Get owner ID and working copy of existing ACL. If there's no ACL, * substitute the proper default. */ ownerId = pg_tablespace_tuple->spcowner; aclDatum = heap_getattr(tuple, Anum_pg_tablespace_spcacl, RelationGetDescr(relation), &isNull); if (isNull) old_acl = acldefault(ACL_OBJECT_TABLESPACE, ownerId); else old_acl = DatumGetAclPCopy(aclDatum); /* Determine ID to do the grant as, and available grant options */ select_best_grantor(GetUserId(), istmt->privileges, old_acl, ownerId, &grantorId, &avail_goptions); /* * Restrict the privileges to what we can actually grant, and emit the * standards-mandated warning and error messages. */ this_privileges = restrict_and_check_grant(istmt->is_grant, avail_goptions, istmt->all_privs, istmt->privileges, tblId, grantorId, ACL_KIND_TABLESPACE, NameStr(pg_tablespace_tuple->spcname), 0, NULL); /* * Generate new ACL. * * We need the members of both old and new ACLs so we can correct the * shared dependency information. */ noldmembers = aclmembers(old_acl, &oldmembers); new_acl = merge_acl_with_grant(old_acl, istmt->is_grant, istmt->grant_option, istmt->behavior, istmt->grantees, this_privileges, grantorId, ownerId); nnewmembers = aclmembers(new_acl, &newmembers); /* finished building new ACL value, now insert it */ MemSet(values, 0, sizeof(values)); MemSet(nulls, false, sizeof(nulls)); MemSet(replaces, false, sizeof(replaces)); replaces[Anum_pg_tablespace_spcacl - 1] = true; values[Anum_pg_tablespace_spcacl - 1] = PointerGetDatum(new_acl); newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values, nulls, replaces); simple_heap_update(relation, &newtuple->t_self, newtuple); /* keep the catalog indexes up to date */ CatalogUpdateIndexes(relation, newtuple); /* Update the shared dependency ACL info */ updateAclDependencies(TableSpaceRelationId, tblId, 0, ownerId, istmt->is_grant, noldmembers, oldmembers, nnewmembers, newmembers); systable_endscan(scan); pfree(new_acl); /* prevent error when processing duplicate objects */ CommandCounterIncrement(); } heap_close(relation, RowExclusiveLock); } static AclMode string_to_privilege(const char *privname) { if (strcmp(privname, "insert") == 0) return ACL_INSERT; if (strcmp(privname, "select") == 0) return ACL_SELECT; if (strcmp(privname, "update") == 0) return ACL_UPDATE; if (strcmp(privname, "delete") == 0) return ACL_DELETE; if (strcmp(privname, "truncate") == 0) return ACL_TRUNCATE; if (strcmp(privname, "references") == 0) return ACL_REFERENCES; if (strcmp(privname, "trigger") == 0) return ACL_TRIGGER; if (strcmp(privname, "execute") == 0) return ACL_EXECUTE; if (strcmp(privname, "usage") == 0) return ACL_USAGE; if (strcmp(privname, "create") == 0) return ACL_CREATE; if (strcmp(privname, "temporary") == 0) return ACL_CREATE_TEMP; if (strcmp(privname, "temp") == 0) return ACL_CREATE_TEMP; if (strcmp(privname, "connect") == 0) return ACL_CONNECT; if (strcmp(privname, "rule") == 0) return 0; /* ignore old RULE privileges */ ereport(ERROR, (errcode(ERRCODE_SYNTAX_ERROR), errmsg("unrecognized privilege type \"%s\"", privname))); return 0; /* appease compiler */ } static const char * privilege_to_string(AclMode privilege) { switch (privilege) { case ACL_INSERT: return "INSERT"; case ACL_SELECT: return "SELECT"; case ACL_UPDATE: return "UPDATE"; case ACL_DELETE: return "DELETE"; case ACL_TRUNCATE: return "TRUNCATE"; case ACL_REFERENCES: return "REFERENCES"; case ACL_TRIGGER: return "TRIGGER"; case ACL_EXECUTE: return "EXECUTE"; case ACL_USAGE: return "USAGE"; case ACL_CREATE: return "CREATE"; case ACL_CREATE_TEMP: return "TEMP"; case ACL_CONNECT: return "CONNECT"; default: elog(ERROR, "unrecognized privilege: %d", (int) privilege); } return NULL; /* appease compiler */ } /* * Standardized reporting of aclcheck permissions failures. * * Note: we do not double-quote the %s's below, because many callers * supply strings that might be already quoted. */ static const char *const no_priv_msg[MAX_ACL_KIND] = { /* ACL_KIND_COLUMN */ gettext_noop("permission denied for column %s"), /* ACL_KIND_CLASS */ gettext_noop("permission denied for relation %s"), /* ACL_KIND_SEQUENCE */ gettext_noop("permission denied for sequence %s"), /* ACL_KIND_DATABASE */ gettext_noop("permission denied for database %s"), /* ACL_KIND_PROC */ gettext_noop("permission denied for function %s"), /* ACL_KIND_OPER */ gettext_noop("permission denied for operator %s"), /* ACL_KIND_TYPE */ gettext_noop("permission denied for type %s"), /* ACL_KIND_LANGUAGE */ gettext_noop("permission denied for language %s"), /* ACL_KIND_NAMESPACE */ gettext_noop("permission denied for schema %s"), /* ACL_KIND_OPCLASS */ gettext_noop("permission denied for operator class %s"), /* ACL_KIND_OPFAMILY */ gettext_noop("permission denied for operator family %s"), /* ACL_KIND_CONVERSION */ gettext_noop("permission denied for conversion %s"), /* ACL_KIND_TABLESPACE */ gettext_noop("permission denied for tablespace %s"), /* ACL_KIND_TSDICTIONARY */ gettext_noop("permission denied for text search dictionary %s"), /* ACL_KIND_TSCONFIGURATION */ gettext_noop("permission denied for text search configuration %s"), /* ACL_KIND_FDW */ gettext_noop("permission denied for foreign-data wrapper %s"), /* ACL_KIND_FOREIGN_SERVER */ gettext_noop("permission denied for foreign server %s") }; static const char *const not_owner_msg[MAX_ACL_KIND] = { /* ACL_KIND_COLUMN */ gettext_noop("must be owner of relation %s"), /* ACL_KIND_CLASS */ gettext_noop("must be owner of relation %s"), /* ACL_KIND_SEQUENCE */ gettext_noop("must be owner of sequence %s"), /* ACL_KIND_DATABASE */ gettext_noop("must be owner of database %s"), /* ACL_KIND_PROC */ gettext_noop("must be owner of function %s"), /* ACL_KIND_OPER */ gettext_noop("must be owner of operator %s"), /* ACL_KIND_TYPE */ gettext_noop("must be owner of type %s"), /* ACL_KIND_LANGUAGE */ gettext_noop("must be owner of language %s"), /* ACL_KIND_NAMESPACE */ gettext_noop("must be owner of schema %s"), /* ACL_KIND_OPCLASS */ gettext_noop("must be owner of operator class %s"), /* ACL_KIND_OPFAMILY */ gettext_noop("must be owner of operator family %s"), /* ACL_KIND_CONVERSION */ gettext_noop("must be owner of conversion %s"), /* ACL_KIND_TABLESPACE */ gettext_noop("must be owner of tablespace %s"), /* ACL_KIND_TSDICTIONARY */ gettext_noop("must be owner of text search dictionary %s"), /* ACL_KIND_TSCONFIGURATION */ gettext_noop("must be owner of text search configuration %s"), /* ACL_KIND_FDW */ gettext_noop("must be owner of foreign-data wrapper %s"), /* ACL_KIND_FOREIGN_SERVER */ gettext_noop("must be owner of foreign server %s") }; void aclcheck_error(AclResult aclerr, AclObjectKind objectkind, const char *objectname) { switch (aclerr) { case ACLCHECK_OK: /* no error, so return to caller */ break; case ACLCHECK_NO_PRIV: ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg(no_priv_msg[objectkind], objectname))); break; case ACLCHECK_NOT_OWNER: ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg(not_owner_msg[objectkind], objectname))); break; default: elog(ERROR, "unrecognized AclResult: %d", (int) aclerr); break; } } void aclcheck_error_col(AclResult aclerr, AclObjectKind objectkind, const char *objectname, const char *colname) { switch (aclerr) { case ACLCHECK_OK: /* no error, so return to caller */ break; case ACLCHECK_NO_PRIV: ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("permission denied for column %s of relation %s", colname, objectname))); break; case ACLCHECK_NOT_OWNER: /* relation msg is OK since columns don't have separate owners */ ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg(not_owner_msg[objectkind], objectname))); break; default: elog(ERROR, "unrecognized AclResult: %d", (int) aclerr); break; } } /* Check if given user has rolcatupdate privilege according to pg_authid */ static bool has_rolcatupdate(Oid roleid) { bool rolcatupdate; HeapTuple tuple; tuple = SearchSysCache(AUTHOID, ObjectIdGetDatum(roleid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("role with OID %u does not exist", roleid))); rolcatupdate = ((Form_pg_authid) GETSTRUCT(tuple))->rolcatupdate; ReleaseSysCache(tuple); return rolcatupdate; } /* * Relay for the various pg_*_mask routines depending on object kind */ static AclMode pg_aclmask(AclObjectKind objkind, Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how) { switch (objkind) { case ACL_KIND_COLUMN: return pg_class_aclmask(table_oid, roleid, mask, how) | pg_attribute_aclmask(table_oid, attnum, roleid, mask, how); case ACL_KIND_CLASS: case ACL_KIND_SEQUENCE: return pg_class_aclmask(table_oid, roleid, mask, how); case ACL_KIND_DATABASE: return pg_database_aclmask(table_oid, roleid, mask, how); case ACL_KIND_PROC: return pg_proc_aclmask(table_oid, roleid, mask, how); case ACL_KIND_LANGUAGE: return pg_language_aclmask(table_oid, roleid, mask, how); case ACL_KIND_NAMESPACE: return pg_namespace_aclmask(table_oid, roleid, mask, how); case ACL_KIND_TABLESPACE: return pg_tablespace_aclmask(table_oid, roleid, mask, how); case ACL_KIND_FDW: return pg_foreign_data_wrapper_aclmask(table_oid, roleid, mask, how); case ACL_KIND_FOREIGN_SERVER: return pg_foreign_server_aclmask(table_oid, roleid, mask, how); default: elog(ERROR, "unrecognized objkind: %d", (int) objkind); /* not reached, but keep compiler quiet */ return ACL_NO_RIGHTS; } } /* **************************************************************** * Exported routines for examining a user's privileges for various objects * * See aclmask() for a description of the common API for these functions. * * Note: we give lookup failure the full ereport treatment because the * has_xxx_privilege() family of functions allow users to pass any random * OID to these functions. * **************************************************************** */ /* * Exported routine for examining a user's privileges for a column * * Note: this considers only privileges granted specifically on the column. * It is caller's responsibility to take relation-level privileges into account * as appropriate. (For the same reason, we have no special case for * superuser-ness here.) */ AclMode pg_attribute_aclmask(Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; HeapTuple classTuple; HeapTuple attTuple; Form_pg_class classForm; Form_pg_attribute attributeForm; Datum aclDatum; bool isNull; Acl *acl; Oid ownerId; /* * Must get the relation's tuple from pg_class (only needed for ownerId) */ classTuple = SearchSysCache(RELOID, ObjectIdGetDatum(table_oid), 0, 0, 0); if (!HeapTupleIsValid(classTuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_TABLE), errmsg("relation with OID %u does not exist", table_oid))); classForm = (Form_pg_class) GETSTRUCT(classTuple); ownerId = classForm->relowner; /* * Next, get the column's ACL from pg_attribute */ attTuple = SearchSysCache(ATTNUM, ObjectIdGetDatum(table_oid), Int16GetDatum(attnum), 0, 0); if (!HeapTupleIsValid(attTuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_COLUMN), errmsg("attribute %d of relation with OID %u does not exist", attnum, table_oid))); attributeForm = (Form_pg_attribute) GETSTRUCT(attTuple); /* Throw error on dropped columns, too */ if (attributeForm->attisdropped) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_COLUMN), errmsg("attribute %d of relation with OID %u does not exist", attnum, table_oid))); aclDatum = SysCacheGetAttr(ATTNUM, attTuple, Anum_pg_attribute_attacl, &isNull); if (isNull) { /* No ACL, so build default ACL */ acl = acldefault(ACL_OBJECT_COLUMN, ownerId); aclDatum = (Datum) 0; } else { /* detoast column's ACL if necessary */ acl = DatumGetAclP(aclDatum); } result = aclmask(acl, roleid, ownerId, mask, how); /* if we have a detoasted copy, free it */ if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) pfree(acl); ReleaseSysCache(attTuple); ReleaseSysCache(classTuple); return result; } /* * Exported routine for examining a user's privileges for a table */ AclMode pg_class_aclmask(Oid table_oid, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; HeapTuple tuple; Form_pg_class classForm; Datum aclDatum; bool isNull; Acl *acl; Oid ownerId; /* * Must get the relation's tuple from pg_class */ tuple = SearchSysCache(RELOID, ObjectIdGetDatum(table_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_TABLE), errmsg("relation with OID %u does not exist", table_oid))); classForm = (Form_pg_class) GETSTRUCT(tuple); /* * Deny anyone permission to update a system catalog unless * pg_authid.rolcatupdate is set. (This is to let superusers protect * themselves from themselves.) Also allow it if allowSystemTableMods. * * As of 7.4 we have some updatable system views; those shouldn't be * protected in this way. Assume the view rules can take care of * themselves. ACL_USAGE is if we ever have system sequences. */ if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE)) && IsSystemClass(classForm) && classForm->relkind != RELKIND_VIEW && !has_rolcatupdate(roleid) && !allowSystemTableMods) { #ifdef ACLDEBUG elog(DEBUG2, "permission denied for system catalog update"); #endif mask &= ~(ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE); } /* * Otherwise, superusers bypass all permission-checking. */ if (superuser_arg(roleid)) { #ifdef ACLDEBUG elog(DEBUG2, "OID %u is superuser, home free", roleid); #endif ReleaseSysCache(tuple); return mask; } /* * Normal case: get the relation's ACL from pg_class */ ownerId = classForm->relowner; aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl, &isNull); if (isNull) { /* No ACL, so build default ACL */ acl = acldefault(classForm->relkind == RELKIND_SEQUENCE ? ACL_OBJECT_SEQUENCE : ACL_OBJECT_RELATION, ownerId); aclDatum = (Datum) 0; } else { /* detoast rel's ACL if necessary */ acl = DatumGetAclP(aclDatum); } result = aclmask(acl, roleid, ownerId, mask, how); /* if we have a detoasted copy, free it */ if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) pfree(acl); ReleaseSysCache(tuple); return result; } /* * Exported routine for examining a user's privileges for a database */ AclMode pg_database_aclmask(Oid db_oid, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; HeapTuple tuple; Datum aclDatum; bool isNull; Acl *acl; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return mask; /* * Get the database's ACL from pg_database */ tuple = SearchSysCache(DATABASEOID, ObjectIdGetDatum(db_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_DATABASE), errmsg("database with OID %u does not exist", db_oid))); ownerId = ((Form_pg_database) GETSTRUCT(tuple))->datdba; aclDatum = SysCacheGetAttr(DATABASEOID, tuple, Anum_pg_database_datacl, &isNull); if (isNull) { /* No ACL, so build default ACL */ acl = acldefault(ACL_OBJECT_DATABASE, ownerId); aclDatum = (Datum) 0; } else { /* detoast ACL if necessary */ acl = DatumGetAclP(aclDatum); } result = aclmask(acl, roleid, ownerId, mask, how); /* if we have a detoasted copy, free it */ if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) pfree(acl); ReleaseSysCache(tuple); return result; } /* * Exported routine for examining a user's privileges for a function */ AclMode pg_proc_aclmask(Oid proc_oid, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; HeapTuple tuple; Datum aclDatum; bool isNull; Acl *acl; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return mask; /* * Get the function's ACL from pg_proc */ tuple = SearchSysCache(PROCOID, ObjectIdGetDatum(proc_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_FUNCTION), errmsg("function with OID %u does not exist", proc_oid))); ownerId = ((Form_pg_proc) GETSTRUCT(tuple))->proowner; aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl, &isNull); if (isNull) { /* No ACL, so build default ACL */ acl = acldefault(ACL_OBJECT_FUNCTION, ownerId); aclDatum = (Datum) 0; } else { /* detoast ACL if necessary */ acl = DatumGetAclP(aclDatum); } result = aclmask(acl, roleid, ownerId, mask, how); /* if we have a detoasted copy, free it */ if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) pfree(acl); ReleaseSysCache(tuple); return result; } /* * Exported routine for examining a user's privileges for a language */ AclMode pg_language_aclmask(Oid lang_oid, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; HeapTuple tuple; Datum aclDatum; bool isNull; Acl *acl; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return mask; /* * Get the language's ACL from pg_language */ tuple = SearchSysCache(LANGOID, ObjectIdGetDatum(lang_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("language with OID %u does not exist", lang_oid))); ownerId = ((Form_pg_language) GETSTRUCT(tuple))->lanowner; aclDatum = SysCacheGetAttr(LANGOID, tuple, Anum_pg_language_lanacl, &isNull); if (isNull) { /* No ACL, so build default ACL */ acl = acldefault(ACL_OBJECT_LANGUAGE, ownerId); aclDatum = (Datum) 0; } else { /* detoast ACL if necessary */ acl = DatumGetAclP(aclDatum); } result = aclmask(acl, roleid, ownerId, mask, how); /* if we have a detoasted copy, free it */ if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) pfree(acl); ReleaseSysCache(tuple); return result; } /* * Exported routine for examining a user's privileges for a namespace */ AclMode pg_namespace_aclmask(Oid nsp_oid, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; HeapTuple tuple; Datum aclDatum; bool isNull; Acl *acl; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return mask; /* * If we have been assigned this namespace as a temp namespace, check to * make sure we have CREATE TEMP permission on the database, and if so act * as though we have all standard (but not GRANT OPTION) permissions on * the namespace. If we don't have CREATE TEMP, act as though we have * only USAGE (and not CREATE) rights. * * This may seem redundant given the check in InitTempTableNamespace, but * it really isn't since current user ID may have changed since then. The * upshot of this behavior is that a SECURITY DEFINER function can create * temp tables that can then be accessed (if permission is granted) by * code in the same session that doesn't have permissions to create temp * tables. * * XXX Would it be safe to ereport a special error message as * InitTempTableNamespace does? Returning zero here means we'll get a * generic "permission denied for schema pg_temp_N" message, which is not * remarkably user-friendly. */ if (isTempNamespace(nsp_oid)) { if (pg_database_aclcheck(MyDatabaseId, roleid, ACL_CREATE_TEMP) == ACLCHECK_OK) return mask & ACL_ALL_RIGHTS_NAMESPACE; else return mask & ACL_USAGE; } /* * Get the schema's ACL from pg_namespace */ tuple = SearchSysCache(NAMESPACEOID, ObjectIdGetDatum(nsp_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_SCHEMA), errmsg("schema with OID %u does not exist", nsp_oid))); ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner; aclDatum = SysCacheGetAttr(NAMESPACEOID, tuple, Anum_pg_namespace_nspacl, &isNull); if (isNull) { /* No ACL, so build default ACL */ acl = acldefault(ACL_OBJECT_NAMESPACE, ownerId); aclDatum = (Datum) 0; } else { /* detoast ACL if necessary */ acl = DatumGetAclP(aclDatum); } result = aclmask(acl, roleid, ownerId, mask, how); /* if we have a detoasted copy, free it */ if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) pfree(acl); ReleaseSysCache(tuple); return result; } /* * Exported routine for examining a user's privileges for a tablespace */ AclMode pg_tablespace_aclmask(Oid spc_oid, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; Relation pg_tablespace; ScanKeyData entry[1]; SysScanDesc scan; HeapTuple tuple; Datum aclDatum; bool isNull; Acl *acl; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return mask; /* * Get the tablespace's ACL from pg_tablespace * * There's no syscache for pg_tablespace, so must look the hard way */ pg_tablespace = heap_open(TableSpaceRelationId, AccessShareLock); ScanKeyInit(&entry[0], ObjectIdAttributeNumber, BTEqualStrategyNumber, F_OIDEQ, ObjectIdGetDatum(spc_oid)); scan = systable_beginscan(pg_tablespace, TablespaceOidIndexId, true, SnapshotNow, 1, entry); tuple = systable_getnext(scan); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("tablespace with OID %u does not exist", spc_oid))); ownerId = ((Form_pg_tablespace) GETSTRUCT(tuple))->spcowner; aclDatum = heap_getattr(tuple, Anum_pg_tablespace_spcacl, RelationGetDescr(pg_tablespace), &isNull); if (isNull) { /* No ACL, so build default ACL */ acl = acldefault(ACL_OBJECT_TABLESPACE, ownerId); aclDatum = (Datum) 0; } else { /* detoast ACL if necessary */ acl = DatumGetAclP(aclDatum); } result = aclmask(acl, roleid, ownerId, mask, how); /* if we have a detoasted copy, free it */ if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) pfree(acl); systable_endscan(scan); heap_close(pg_tablespace, AccessShareLock); return result; } /* * Exported routine for examining a user's privileges for a foreign * data wrapper */ AclMode pg_foreign_data_wrapper_aclmask(Oid fdw_oid, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; HeapTuple tuple; Datum aclDatum; bool isNull; Acl *acl; Oid ownerId; Form_pg_foreign_data_wrapper fdwForm; /* Bypass permission checks for superusers */ if (superuser_arg(roleid)) return mask; /* * Must get the FDW's tuple from pg_foreign_data_wrapper */ tuple = SearchSysCache(FOREIGNDATAWRAPPEROID, ObjectIdGetDatum(fdw_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errmsg("foreign-data wrapper with OID %u does not exist", fdw_oid))); fdwForm = (Form_pg_foreign_data_wrapper) GETSTRUCT(tuple); /* * Normal case: get the FDW's ACL from pg_foreign_data_wrapper */ ownerId = fdwForm->fdwowner; aclDatum = SysCacheGetAttr(FOREIGNDATAWRAPPEROID, tuple, Anum_pg_foreign_data_wrapper_fdwacl, &isNull); if (isNull) { /* No ACL, so build default ACL */ acl = acldefault(ACL_OBJECT_FDW, ownerId); aclDatum = (Datum) 0; } else { /* detoast rel's ACL if necessary */ acl = DatumGetAclP(aclDatum); } result = aclmask(acl, roleid, ownerId, mask, how); /* if we have a detoasted copy, free it */ if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) pfree(acl); ReleaseSysCache(tuple); return result; } /* * Exported routine for examining a user's privileges for a foreign * server. */ AclMode pg_foreign_server_aclmask(Oid srv_oid, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; HeapTuple tuple; Datum aclDatum; bool isNull; Acl *acl; Oid ownerId; Form_pg_foreign_server srvForm; /* Bypass permission checks for superusers */ if (superuser_arg(roleid)) return mask; /* * Must get the FDW's tuple from pg_foreign_data_wrapper */ tuple = SearchSysCache(FOREIGNSERVEROID, ObjectIdGetDatum(srv_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errmsg("foreign server with OID %u does not exist", srv_oid))); srvForm = (Form_pg_foreign_server) GETSTRUCT(tuple); /* * Normal case: get the foreign server's ACL from pg_foreign_server */ ownerId = srvForm->srvowner; aclDatum = SysCacheGetAttr(FOREIGNSERVEROID, tuple, Anum_pg_foreign_server_srvacl, &isNull); if (isNull) { /* No ACL, so build default ACL */ acl = acldefault(ACL_OBJECT_FOREIGN_SERVER, ownerId); aclDatum = (Datum) 0; } else { /* detoast rel's ACL if necessary */ acl = DatumGetAclP(aclDatum); } result = aclmask(acl, roleid, ownerId, mask, how); /* if we have a detoasted copy, free it */ if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) pfree(acl); ReleaseSysCache(tuple); return result; } /* * Exported routine for checking a user's access privileges to a column * * Returns ACLCHECK_OK if the user has any of the privileges identified by * 'mode'; otherwise returns a suitable error code (in practice, always * ACLCHECK_NO_PRIV). * * As with pg_attribute_aclmask, only privileges granted directly on the * column are considered here. */ AclResult pg_attribute_aclcheck(Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mode) { if (pg_attribute_aclmask(table_oid, attnum, roleid, mode, ACLMASK_ANY) != 0) return ACLCHECK_OK; else return ACLCHECK_NO_PRIV; } /* * Exported routine for checking a user's access privileges to any/all columns * * If 'how' is ACLMASK_ANY, then returns ACLCHECK_OK if user has any of the * privileges identified by 'mode' on any non-dropped column in the relation; * otherwise returns a suitable error code (in practice, always * ACLCHECK_NO_PRIV). * * If 'how' is ACLMASK_ALL, then returns ACLCHECK_OK if user has any of the * privileges identified by 'mode' on all non-dropped columns in the relation * (and there must be at least one such column); otherwise returns a suitable * error code (in practice, always ACLCHECK_NO_PRIV). * * As with pg_attribute_aclmask, only privileges granted directly on the * column(s) are considered here. * * Note: system columns are not considered here; there are cases where that * might be appropriate but there are also cases where it wouldn't. */ AclResult pg_attribute_aclcheck_all(Oid table_oid, Oid roleid, AclMode mode, AclMaskHow how) { AclResult result; HeapTuple classTuple; Form_pg_class classForm; AttrNumber nattrs; AttrNumber curr_att; /* Must fetch pg_class row to check number of attributes */ classTuple = SearchSysCache(RELOID, ObjectIdGetDatum(table_oid), 0, 0, 0); if (!HeapTupleIsValid(classTuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_TABLE), errmsg("relation with OID %u does not exist", table_oid))); classForm = (Form_pg_class) GETSTRUCT(classTuple); nattrs = classForm->relnatts; ReleaseSysCache(classTuple); /* * Initialize result in case there are no non-dropped columns. We want * to report failure in such cases for either value of 'how'. */ result = ACLCHECK_NO_PRIV; for (curr_att = 1; curr_att <= nattrs; curr_att++) { HeapTuple attTuple; bool isdropped; attTuple = SearchSysCache(ATTNUM, ObjectIdGetDatum(table_oid), Int16GetDatum(curr_att), 0, 0); if (!HeapTupleIsValid(attTuple)) elog(ERROR, "cache lookup failed for attribute %d of relation %u", curr_att, table_oid); isdropped = ((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped; ReleaseSysCache(attTuple); /* ignore dropped columns */ if (isdropped) continue; if (pg_attribute_aclmask(table_oid, curr_att, roleid, mode, ACLMASK_ANY) != 0) { result = ACLCHECK_OK; if (how == ACLMASK_ANY) break; /* succeed on any success */ } else { result = ACLCHECK_NO_PRIV; if (how == ACLMASK_ALL) break; /* fail on any failure */ } } return result; } /* * Exported routine for checking a user's access privileges to a table * * Returns ACLCHECK_OK if the user has any of the privileges identified by * 'mode'; otherwise returns a suitable error code (in practice, always * ACLCHECK_NO_PRIV). */ AclResult pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode) { if (pg_class_aclmask(table_oid, roleid, mode, ACLMASK_ANY) != 0) return ACLCHECK_OK; else return ACLCHECK_NO_PRIV; } /* * Exported routine for checking a user's access privileges to a database */ AclResult pg_database_aclcheck(Oid db_oid, Oid roleid, AclMode mode) { if (pg_database_aclmask(db_oid, roleid, mode, ACLMASK_ANY) != 0) return ACLCHECK_OK; else return ACLCHECK_NO_PRIV; } /* * Exported routine for checking a user's access privileges to a function */ AclResult pg_proc_aclcheck(Oid proc_oid, Oid roleid, AclMode mode) { if (pg_proc_aclmask(proc_oid, roleid, mode, ACLMASK_ANY) != 0) return ACLCHECK_OK; else return ACLCHECK_NO_PRIV; } /* * Exported routine for checking a user's access privileges to a language */ AclResult pg_language_aclcheck(Oid lang_oid, Oid roleid, AclMode mode) { if (pg_language_aclmask(lang_oid, roleid, mode, ACLMASK_ANY) != 0) return ACLCHECK_OK; else return ACLCHECK_NO_PRIV; } /* * Exported routine for checking a user's access privileges to a namespace */ AclResult pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode) { if (pg_namespace_aclmask(nsp_oid, roleid, mode, ACLMASK_ANY) != 0) return ACLCHECK_OK; else return ACLCHECK_NO_PRIV; } /* * Exported routine for checking a user's access privileges to a tablespace */ AclResult pg_tablespace_aclcheck(Oid spc_oid, Oid roleid, AclMode mode) { if (pg_tablespace_aclmask(spc_oid, roleid, mode, ACLMASK_ANY) != 0) return ACLCHECK_OK; else return ACLCHECK_NO_PRIV; } /* * Exported routine for checking a user's access privileges to a foreign * data wrapper */ AclResult pg_foreign_data_wrapper_aclcheck(Oid fdw_oid, Oid roleid, AclMode mode) { if (pg_foreign_data_wrapper_aclmask(fdw_oid, roleid, mode, ACLMASK_ANY) != 0) return ACLCHECK_OK; else return ACLCHECK_NO_PRIV; } /* * Exported routine for checking a user's access privileges to a foreign * server */ AclResult pg_foreign_server_aclcheck(Oid srv_oid, Oid roleid, AclMode mode) { if (pg_foreign_server_aclmask(srv_oid, roleid, mode, ACLMASK_ANY) != 0) return ACLCHECK_OK; else return ACLCHECK_NO_PRIV; } /* * Ownership check for a relation (specified by OID). */ bool pg_class_ownercheck(Oid class_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(RELOID, ObjectIdGetDatum(class_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_TABLE), errmsg("relation with OID %u does not exist", class_oid))); ownerId = ((Form_pg_class) GETSTRUCT(tuple))->relowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for a type (specified by OID). */ bool pg_type_ownercheck(Oid type_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(TYPEOID, ObjectIdGetDatum(type_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("type with OID %u does not exist", type_oid))); ownerId = ((Form_pg_type) GETSTRUCT(tuple))->typowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for an operator (specified by OID). */ bool pg_oper_ownercheck(Oid oper_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(OPEROID, ObjectIdGetDatum(oper_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_FUNCTION), errmsg("operator with OID %u does not exist", oper_oid))); ownerId = ((Form_pg_operator) GETSTRUCT(tuple))->oprowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for a function (specified by OID). */ bool pg_proc_ownercheck(Oid proc_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(PROCOID, ObjectIdGetDatum(proc_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_FUNCTION), errmsg("function with OID %u does not exist", proc_oid))); ownerId = ((Form_pg_proc) GETSTRUCT(tuple))->proowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for a procedural language (specified by OID) */ bool pg_language_ownercheck(Oid lan_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(LANGOID, ObjectIdGetDatum(lan_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_FUNCTION), errmsg("language with OID %u does not exist", lan_oid))); ownerId = ((Form_pg_language) GETSTRUCT(tuple))->lanowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for a namespace (specified by OID). */ bool pg_namespace_ownercheck(Oid nsp_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(NAMESPACEOID, ObjectIdGetDatum(nsp_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_SCHEMA), errmsg("schema with OID %u does not exist", nsp_oid))); ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for a tablespace (specified by OID). */ bool pg_tablespace_ownercheck(Oid spc_oid, Oid roleid) { Relation pg_tablespace; ScanKeyData entry[1]; SysScanDesc scan; HeapTuple spctuple; Oid spcowner; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; /* There's no syscache for pg_tablespace, so must look the hard way */ pg_tablespace = heap_open(TableSpaceRelationId, AccessShareLock); ScanKeyInit(&entry[0], ObjectIdAttributeNumber, BTEqualStrategyNumber, F_OIDEQ, ObjectIdGetDatum(spc_oid)); scan = systable_beginscan(pg_tablespace, TablespaceOidIndexId, true, SnapshotNow, 1, entry); spctuple = systable_getnext(scan); if (!HeapTupleIsValid(spctuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("tablespace with OID %u does not exist", spc_oid))); spcowner = ((Form_pg_tablespace) GETSTRUCT(spctuple))->spcowner; systable_endscan(scan); heap_close(pg_tablespace, AccessShareLock); return has_privs_of_role(roleid, spcowner); } /* * Ownership check for an operator class (specified by OID). */ bool pg_opclass_ownercheck(Oid opc_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(CLAOID, ObjectIdGetDatum(opc_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("operator class with OID %u does not exist", opc_oid))); ownerId = ((Form_pg_opclass) GETSTRUCT(tuple))->opcowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for an operator family (specified by OID). */ bool pg_opfamily_ownercheck(Oid opf_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(OPFAMILYOID, ObjectIdGetDatum(opf_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("operator family with OID %u does not exist", opf_oid))); ownerId = ((Form_pg_opfamily) GETSTRUCT(tuple))->opfowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for a text search dictionary (specified by OID). */ bool pg_ts_dict_ownercheck(Oid dict_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(TSDICTOID, ObjectIdGetDatum(dict_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("text search dictionary with OID %u does not exist", dict_oid))); ownerId = ((Form_pg_ts_dict) GETSTRUCT(tuple))->dictowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for a text search configuration (specified by OID). */ bool pg_ts_config_ownercheck(Oid cfg_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(TSCONFIGOID, ObjectIdGetDatum(cfg_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("text search configuration with OID %u does not exist", cfg_oid))); ownerId = ((Form_pg_ts_config) GETSTRUCT(tuple))->cfgowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for a foreign server (specified by OID). */ bool pg_foreign_server_ownercheck(Oid srv_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(FOREIGNSERVEROID, ObjectIdGetDatum(srv_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("foreign server with OID %u does not exist", srv_oid))); ownerId = ((Form_pg_foreign_server) GETSTRUCT(tuple))->srvowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); } /* * Ownership check for a database (specified by OID). */ bool pg_database_ownercheck(Oid db_oid, Oid roleid) { HeapTuple tuple; Oid dba; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(DATABASEOID, ObjectIdGetDatum(db_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_DATABASE), errmsg("database with OID %u does not exist", db_oid))); dba = ((Form_pg_database) GETSTRUCT(tuple))->datdba; ReleaseSysCache(tuple); return has_privs_of_role(roleid, dba); } /* * Ownership check for a conversion (specified by OID). */ bool pg_conversion_ownercheck(Oid conv_oid, Oid roleid) { HeapTuple tuple; Oid ownerId; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; tuple = SearchSysCache(CONVOID, ObjectIdGetDatum(conv_oid), 0, 0, 0); if (!HeapTupleIsValid(tuple)) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("conversion with OID %u does not exist", conv_oid))); ownerId = ((Form_pg_conversion) GETSTRUCT(tuple))->conowner; ReleaseSysCache(tuple); return has_privs_of_role(roleid, ownerId); }