(cloudberry) branch cbdb-postgres-merge updated: Check permisions for DML on system relation

[chenjinbao1989]

This is an automated email from the ASF dual-hosted git repository.

chenjinbao1989 pushed a commit to branch cbdb-postgres-merge
in repository https://gitbox.apache.org/repos/asf/cloudberry.git


The following commit(s) were added to refs/heads/cbdb-postgres-merge by this 
push:
     new c1191dff4cd Check permisions for DML on system relation
c1191dff4cd is described below

commit c1191dff4cd3881004efd65d73a3c56a908c8660
Author: Jinbao Chen <chenjinbao1...@gmail.com>
AuthorDate: Tue Dec 9 09:50:23 2025 +0800

    Check permisions for DML on system relation
---
 src/backend/cdb/cdbmutate.c       |  2 +-
 src/backend/parser/parse_clause.c | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/backend/cdb/cdbmutate.c b/src/backend/cdb/cdbmutate.c
index 511cfb20309..af61407a1bf 100644
--- a/src/backend/cdb/cdbmutate.c
+++ b/src/backend/cdb/cdbmutate.c
@@ -1854,7 +1854,7 @@ cdbpathtoplan_create_sri_plan(RangeTblEntry *rte, 
PlannerInfo *subroot, Path *su
                                                                                
  targetPolicy->nattrs,
                                                                                
  targetPolicy->attrs);
        hashOpfamilies = NIL;
-       for (i = 0; i < targetPolicy->nattrs; i++)
+       for (int i = 0; i < targetPolicy->nattrs; i++)
        {
                Oid                     opfamily = 
get_opclass_family(targetPolicy->opclasses[i]);
 
diff --git a/src/backend/parser/parse_clause.c 
b/src/backend/parser/parse_clause.c
index 8e4fd533b05..fad2f2a15e1 100644
--- a/src/backend/parser/parse_clause.c
+++ b/src/backend/parser/parse_clause.c
@@ -351,6 +351,20 @@ setTargetTable(ParseState *pstate, RangeVar *relation,
        /* remember the RTE/nsitem as being the query target */
        pstate->p_target_nsitem = nsitem;
 
+       /*
+        * Special check for DML on system relations,
+        * allow DML when:
+        *      - in single user mode: initdb insert PIN entries to 
pg_depend,...
+        *      - in maintenance mode, upgrade mode or
+        *  - allow_system_table_mods = true
+        */
+       if (IsUnderPostmaster && !allowSystemTableMods
+               && IsSystemRelation(pstate->p_target_relation))
+               ereport(ERROR,
+                               (errcode(ERRCODE_WRONG_OBJECT_TYPE),
+                                errmsg("permission denied: \"%s\" is a system 
catalog",
+                                                
RelationGetRelationName(pstate->p_target_relation))));
+
        /*
         * Override addRangeTableEntry's default ACL_SELECT permissions check, 
and
         * instead mark target table as requiring exactly the specified


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cloudberry.apache.org
For additional commands, e-mail: commits-h...@cloudberry.apache.org