* Stephen Frost (sfr...@snowman.net) wrote: > * Stephen Frost (sfr...@snowman.net) wrote: > > > 3. It messes around with pg_signal_backend(). There are currently no > > > cases in which pg_signal_backend() throws an error, which is good, > > > because it lets you write queries against pg_stat_activity() that > > > don't fail halfway through, even if you are missing permissions on > > > some things. This patch introduces such a case, which is bad. > > > > Good point, I'll move that check up into the other functions, which will > > allow for a more descriptive error as well. > > Err, I'm missing something here, as pg_signal_backend() is a misc.c > static internal function? How would you be calling it from a query > against pg_stat_activity()? > > I'm fine making the change anyway, just curious..
Updated patch attached which move the ereport() out of
pg_signal_backend() and into its callers, as the other permissions
checks are done, and includes the documentation changes. The error
messages are minimally changed to match the new behvaior.
Thanks,
Stephen
From c60718e7a7ecb8d671627271533d6bd2b6878782 Mon Sep 17 00:00:00 2001
From: Stephen Frost <sfr...@snowman.net>
Date: Mon, 1 Dec 2014 11:13:09 -0500
Subject: [PATCH] GetUserId() changes to has_privs_of_role()
The pg_stat and pg_signal-related functions have been using GetUserId()
instead of has_privs_of_role() for checking if the current user should
be able to see details in pg_stat_activity or signal other processes,
requiring a user to do 'SET ROLE' for inheirited roles for a permissions
check, unlike other permissions checks.
This patch changes that behavior to, instead, act like most other
permission checks and use has_privs_of_role(), removing the 'SET ROLE'
need. Documentation and error messages updated accordingly.
Per discussion with Alvaro, Peter, Adam (though not using Adam's patch),
and Robert.
---
doc/src/sgml/func.sgml | 13 ++++++-------
src/backend/utils/adt/misc.c | 39 +++++++++++++++++++++++++++++--------
src/backend/utils/adt/pgstatfuncs.c | 19 +++++++++---------
3 files changed, 47 insertions(+), 24 deletions(-)
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 62ec275..dbb61dc 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -16121,9 +16121,9 @@ SELECT set_config('log_statement_stats', 'off', false);
<literal><function>pg_cancel_backend(<parameter>pid</parameter> <type>int</>)</function></literal>
</entry>
<entry><type>boolean</type></entry>
- <entry>Cancel a backend's current query. You can execute this against
- another backend that has exactly the same role as the user calling the
- function. In all other cases, you must be a superuser.
+ <entry>Cancel a backend's current query. This is also allowed if the
+ calling role is a member of the role whose backend is being cancelled,
+ however only superusers can cancel superuser backends.
</entry>
</row>
<row>
@@ -16145,10 +16145,9 @@ SELECT set_config('log_statement_stats', 'off', false);
<literal><function>pg_terminate_backend(<parameter>pid</parameter> <type>int</>)</function></literal>
</entry>
<entry><type>boolean</type></entry>
- <entry>Terminate a backend. You can execute this against
- another backend that has exactly the same role as the user
- calling the function. In all other cases, you must be a
- superuser.
+ <entry>Terminate a backend. This is also allowed if the calling role
+ is a member of the role whose backend is being terminated, however only
+ superusers can terminate superuser backends.
</entry>
</row>
</tbody>
diff --git a/src/backend/utils/adt/misc.c b/src/backend/utils/adt/misc.c
index 67539ec..2e74eb9 100644
--- a/src/backend/utils/adt/misc.c
+++ b/src/backend/utils/adt/misc.c
@@ -37,6 +37,7 @@
#include "utils/lsyscache.h"
#include "utils/ruleutils.h"
#include "tcop/tcopprot.h"
+#include "utils/acl.h"
#include "utils/builtins.h"
#include "utils/timestamp.h"
@@ -81,7 +82,9 @@ current_query(PG_FUNCTION_ARGS)
* role as the backend being signaled. For "dangerous" signals, an explicit
* check for superuser needs to be done prior to calling this function.
*
- * Returns 0 on success, 1 on general failure, and 2 on permission error.
+ * Returns 0 on success, 1 on general failure, 2 on normal permission error
+ * and 3 if the caller needs to be a superuser.
+ *
* In the event of a general failure (return code 1), a warning message will
* be emitted. For permission errors, doing that is the responsibility of
* the caller.
@@ -89,6 +92,7 @@ current_query(PG_FUNCTION_ARGS)
#define SIGNAL_BACKEND_SUCCESS 0
#define SIGNAL_BACKEND_ERROR 1
#define SIGNAL_BACKEND_NOPERMISSION 2
+#define SIGNAL_BACKEND_NOSUPERUSER 3
static int
pg_signal_backend(int pid, int sig)
{
@@ -113,7 +117,12 @@ pg_signal_backend(int pid, int sig)
return SIGNAL_BACKEND_ERROR;
}
- if (!(superuser() || proc->roleId == GetUserId()))
+ /* Only allow superusers to signal superuser-owned backends. */
+ if (superuser_arg(proc->roleId) && !superuser())
+ return SIGNAL_BACKEND_NOSUPERUSER;
+
+ /* Users can signal backends they have role membership in. */
+ if (!has_privs_of_role(GetUserId(), proc->roleId))
return SIGNAL_BACKEND_NOPERMISSION;
/*
@@ -141,35 +150,49 @@ pg_signal_backend(int pid, int sig)
}
/*
- * Signal to cancel a backend process. This is allowed if you are superuser or
- * have the same role as the process being canceled.
+ * Signal to cancel a backend process. This is allowed if you are a member of
+ * the role whose process is being canceled.
+ *
+ * Note that only superusers can signal superuser-owned processes.
*/
Datum
pg_cancel_backend(PG_FUNCTION_ARGS)
{
int r = pg_signal_backend(PG_GETARG_INT32(0), SIGINT);
+ if (r == SIGNAL_BACKEND_NOSUPERUSER)
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ (errmsg("must be a superuser to cancel superuser query"))));
+
if (r == SIGNAL_BACKEND_NOPERMISSION)
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- (errmsg("must be superuser or have the same role to cancel queries running in other server processes"))));
+ (errmsg("must be a member of the role whose query is being cancelled"))));
PG_RETURN_BOOL(r == SIGNAL_BACKEND_SUCCESS);
}
/*
- * Signal to terminate a backend process. This is allowed if you are superuser
- * or have the same role as the process being terminated.
+ * Signal to terminate a backend process. This is allowed if you are a member
+ * of the role whose process is being terminated.
+ *
+ * Note that only superusers can signal superuser-owned processes.
*/
Datum
pg_terminate_backend(PG_FUNCTION_ARGS)
{
int r = pg_signal_backend(PG_GETARG_INT32(0), SIGTERM);
+ if (r == SIGNAL_BACKEND_NOSUPERUSER)
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ (errmsg("must be a superuser to terminate superuser process"))));
+
if (r == SIGNAL_BACKEND_NOPERMISSION)
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- (errmsg("must be superuser or have the same role to terminate other server processes"))));
+ (errmsg("must be a member of the role whose process is being terminated"))));
PG_RETURN_BOOL(r == SIGNAL_BACKEND_SUCCESS);
}
diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c
index d621a68..3663e93 100644
--- a/src/backend/utils/adt/pgstatfuncs.c
+++ b/src/backend/utils/adt/pgstatfuncs.c
@@ -20,6 +20,7 @@
#include "libpq/ip.h"
#include "miscadmin.h"
#include "pgstat.h"
+#include "utils/acl.h"
#include "utils/builtins.h"
#include "utils/inet.h"
#include "utils/timestamp.h"
@@ -674,8 +675,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
else
nulls[15] = true;
- /* Values only available to same user or superuser */
- if (superuser() || beentry->st_userid == GetUserId())
+ /* Values only available to role member */
+ if (has_privs_of_role(GetUserId(), beentry->st_userid))
{
SockAddr zero_clientaddr;
@@ -877,7 +878,7 @@ pg_stat_get_backend_activity(PG_FUNCTION_ARGS)
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
activity = "<backend information not available>";
- else if (!superuser() && beentry->st_userid != GetUserId())
+ else if (!has_privs_of_role(GetUserId(), beentry->st_userid))
activity = "<insufficient privilege>";
else if (*(beentry->st_activity) == '\0')
activity = "<command string not enabled>";
@@ -898,7 +899,7 @@ pg_stat_get_backend_waiting(PG_FUNCTION_ARGS)
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
- if (!superuser() && beentry->st_userid != GetUserId())
+ if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
result = beentry->st_waiting;
@@ -917,7 +918,7 @@ pg_stat_get_backend_activity_start(PG_FUNCTION_ARGS)
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
- if (!superuser() && beentry->st_userid != GetUserId())
+ if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
result = beentry->st_activity_start_timestamp;
@@ -943,7 +944,7 @@ pg_stat_get_backend_xact_start(PG_FUNCTION_ARGS)
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
- if (!superuser() && beentry->st_userid != GetUserId())
+ if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
result = beentry->st_xact_start_timestamp;
@@ -965,7 +966,7 @@ pg_stat_get_backend_start(PG_FUNCTION_ARGS)
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
- if (!superuser() && beentry->st_userid != GetUserId())
+ if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
result = beentry->st_proc_start_timestamp;
@@ -989,7 +990,7 @@ pg_stat_get_backend_client_addr(PG_FUNCTION_ARGS)
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
- if (!superuser() && beentry->st_userid != GetUserId())
+ if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
/* A zeroed client addr means we don't know */
@@ -1036,7 +1037,7 @@ pg_stat_get_backend_client_port(PG_FUNCTION_ARGS)
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
- if (!superuser() && beentry->st_userid != GetUserId())
+ if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
/* A zeroed client addr means we don't know */
--
1.9.1
signature.asc
Description: Digital signature
