Tom Lane wrote:
> Alvaro Herrera <alvhe...@2ndquadrant.com> writes:
> > Tom Lane escribi�:
> >> I will bet that this is more breakage from the DDL-code refactoring that
> >> has been going on. I am getting closer and closer to wanting that
> >> reverted. KaiGai-san seems to have been throwing out lots of special
> >> cases that were there for good reasons.
>
> > Isn't this just a475c6036?
>
> Ah ... well, at least it was intentional. But still wrongheaded,
> as this example shows. What we should have done was what the commit
> message suggests, ie place a replacement check somewhere "upstream"
> where it would apply to all object types. First thought that comes to
> mind is to add a hack to pg_namespace_aclcheck, or maybe at some call
> site(s).
The attached patch seems to work:
alvherre=# create table pg_catalog.foo (a int);
ERROR: permission denied for schema pg_catalog
It passes regression tests for both core and contrib.
I notice that contrib/adminpack now fails, though (why doesn't this
module have a regression test?):
alvherre=# create extension adminpack;
ERROR: permission denied for schema pg_catalog
It sounds hard to support that without some other special hack. Not
sure what to do here. Have adminpack set allowSystemTableMods somehow?
I grepped for other occurences of "pg_catalog" in contrib SQL scripts,
and all other modules seem to work (didn't try sepgsql):
$ rgrep -l pg_catalog */*sql | cut -d/ -f1 | while read module; do echo
module: $module; psql -c "create extension $module"; done
module: adminpack
ERROR: permission denied for schema pg_catalog
module: btree_gist
CREATE EXTENSION
module: btree_gist
ERROR: extension "btree_gist" already exists
module: citext
CREATE EXTENSION
module: citext
ERROR: extension "citext" already exists
module: intarray
CREATE EXTENSION
module: isn
CREATE EXTENSION
module: lo
CREATE EXTENSION
module: pg_trgm
CREATE EXTENSION
module: pg_trgm
ERROR: extension "pg_trgm" already exists
module: sepgsql
ERROR: could not open extension control file
"/home/alvherre/Code/pgsql/install/HEAD/share/extension/sepgsql.control":
No such file or directory
module: tcn
CREATE EXTENSION
module: test_parser
CREATE EXTENSION
module: tsearch2
CREATE EXTENSION
module: tsearch2
ERROR: extension "tsearch2" already exists
--
Alvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 0bf5356..3738cf5 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -4445,6 +4445,11 @@ pg_largeobject_aclcheck_snapshot(Oid lobj_oid, Oid roleid, AclMode mode,
AclResult
pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode)
{
+ if (mode == ACL_CREATE && !allowSystemTableMods &&
+ (IsSystemNamespace(nsp_oid) || IsToastNamespace(nsp_oid)) &&
+ IsNormalProcessingMode())
+ return ACLCHECK_NO_PRIV;
+
if (pg_namespace_aclmask(nsp_oid, roleid, mode, ACLMASK_ANY) != 0)
return ACLCHECK_OK;
else
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
