*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/access/transam/xact.c,v 1.229.2.5 2009/11/23 09:59:11 heikki Exp $
+ * $PostgreSQL: pgsql/src/backend/access/transam/xact.c,v 1.229.2.6 2009/12/09 21:58:28 tgl Exp $
*
*-------------------------------------------------------------------------
*/
int savepointLevel; /* savepoint level */
TransState state; /* low-level state */
TBlockState blockState; /* high-level state */
- int nestingLevel; /* nest depth */
+ int nestingLevel; /* transaction nesting depth */
+ int gucNestLevel; /* GUC context nesting depth */
MemoryContext curTransactionContext; /* my xact-lifetime context */
ResourceOwner curTransactionOwner; /* my query resources */
List *childXids; /* subcommitted child XIDs */
Oid prevUser; /* previous CurrentUserId setting */
- bool prevSecDefCxt; /* previous SecurityDefinerContext setting */
+ int prevSecContext; /* previous SecurityRestrictionContext */
bool prevXactReadOnly; /* entry-time xact r/o state */
struct TransactionStateData *parent; /* back link to parent */
} TransactionStateData;
TRANS_DEFAULT, /* transaction state */
TBLOCK_DEFAULT, /* transaction block state from the client
* perspective */
- 0, /* nesting level */
+ 0, /* transaction nesting depth */
+ 0, /* GUC context nesting depth */
NULL, /* cur transaction context */
NULL, /* cur transaction resource owner */
NIL, /* subcommitted child Xids */
InvalidOid, /* previous CurrentUserId setting */
- false, /* previous SecurityDefinerContext setting */
+ 0, /* previous SecurityRestrictionContext */
false, /* entry-time xact r/o state */
NULL /* link to parent state block */
};
* note: prevXactReadOnly is not used at the outermost level
*/
s->nestingLevel = 1;
+ s->gucNestLevel = 1;
s->childXids = NIL;
- GetUserIdAndContext(&s->prevUser, &s->prevSecDefCxt);
- /* SecurityDefinerContext should never be set outside a transaction */
- Assert(!s->prevSecDefCxt);
+ GetUserIdAndSecContext(&s->prevUser, &s->prevSecContext);
+ /* SecurityRestrictionContext should never be set outside a transaction */
+ Assert(s->prevSecContext == 0);
/*
* initialize other subsystems for new transaction
*/
+ AtStart_GUC();
AtStart_Inval();
AtStart_Cache();
AfterTriggerBeginXact();
/* Check we've released all catcache entries */
AtEOXact_CatCache(true);
- AtEOXact_GUC(true, false);
+ AtEOXact_GUC(true, 1);
AtEOXact_SPI(true);
AtEOXact_on_commit_actions(true);
AtEOXact_Namespace(true);
s->transactionId = InvalidTransactionId;
s->subTransactionId = InvalidSubTransactionId;
s->nestingLevel = 0;
+ s->gucNestLevel = 0;
s->childXids = NIL;
/*
AtEOXact_CatCache(true);
/* PREPARE acts the same as COMMIT as far as GUC is concerned */
- AtEOXact_GUC(true, false);
+ AtEOXact_GUC(true, 1);
AtEOXact_SPI(true);
AtEOXact_on_commit_actions(true);
AtEOXact_Namespace(true);
s->transactionId = InvalidTransactionId;
s->subTransactionId = InvalidSubTransactionId;
s->nestingLevel = 0;
+ s->gucNestLevel = 0;
s->childXids = NIL;
/*
* Reset user ID which might have been changed transiently. We need this
* to clean up in case control escaped out of a SECURITY DEFINER function
* or other local change of CurrentUserId; therefore, the prior value
- * of SecurityDefinerContext also needs to be restored.
+ * of SecurityRestrictionContext also needs to be restored.
*
* (Note: it is not necessary to restore session authorization or role
* settings here because those can only be changed via GUC, and GUC will
* take care of rolling them back if need be.)
*/
- SetUserIdAndContext(s->prevUser, s->prevSecDefCxt);
+ SetUserIdAndSecContext(s->prevUser, s->prevSecContext);
/*
* do abort processing
false, true);
AtEOXact_CatCache(false);
- AtEOXact_GUC(false, false);
+ AtEOXact_GUC(false, 1);
AtEOXact_SPI(false);
AtEOXact_on_commit_actions(false);
AtEOXact_Namespace(false);
s->transactionId = InvalidTransactionId;
s->subTransactionId = InvalidSubTransactionId;
s->nestingLevel = 0;
+ s->gucNestLevel = 0;
s->childXids = NIL;
/*
RESOURCE_RELEASE_AFTER_LOCKS,
true, false);
- AtEOXact_GUC(true, true);
+ AtEOXact_GUC(true, s->gucNestLevel);
AtEOSubXact_SPI(true, s->subTransactionId);
AtEOSubXact_on_commit_actions(true, s->subTransactionId,
s->parent->subTransactionId);
* Reset user ID which might have been changed transiently. (See notes
* in AbortTransaction.)
*/
- SetUserIdAndContext(s->prevUser, s->prevSecDefCxt);
+ SetUserIdAndSecContext(s->prevUser, s->prevSecContext);
/*
* We can skip all this stuff if the subxact failed before creating a
RESOURCE_RELEASE_AFTER_LOCKS,
false, false);
- AtEOXact_GUC(false, true);
+ AtEOXact_GUC(false, s->gucNestLevel);
AtEOSubXact_SPI(false, s->subTransactionId);
AtEOSubXact_on_commit_actions(false, s->subTransactionId,
s->parent->subTransactionId);
s->subTransactionId = currentSubTransactionId;
s->parent = p;
s->nestingLevel = p->nestingLevel + 1;
+ s->gucNestLevel = NewGUCNestLevel();
s->savepointLevel = p->savepointLevel;
s->state = TRANS_DEFAULT;
s->blockState = TBLOCK_SUBBEGIN;
- GetUserIdAndContext(&s->prevUser, &s->prevSecDefCxt);
+ GetUserIdAndSecContext(&s->prevUser, &s->prevSecContext);
s->prevXactReadOnly = XactReadOnly;
CurrentTransactionState = s;
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/catalog/index.c,v 1.274.2.3 2008/05/27 21:13:25 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/catalog/index.c,v 1.274.2.4 2009/12/09 21:58:28 tgl Exp $
*
*
* INTERFACE ROUTINES
#include "storage/smgr.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
+#include "utils/guc.h"
#include "utils/inval.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
RegProcedure procedure;
IndexBuildResult *stats;
Oid save_userid;
- bool save_secdefcxt;
+ int save_sec_context;
+ int save_nestlevel;
/*
* sanity checks
Assert(RegProcedureIsValid(procedure));
/*
- * Switch to the table owner's userid, so that any index functions are
- * run as that user.
+ * Switch to the table owner's userid, so that any index functions are run
+ * as that user. Also lock down security-restricted operations and
+ * arrange to make GUC variable changes local to this command.
*/
- GetUserIdAndContext(&save_userid, &save_secdefcxt);
- SetUserIdAndContext(heapRelation->rd_rel->relowner, true);
+ GetUserIdAndSecContext(&save_userid, &save_sec_context);
+ SetUserIdAndSecContext(heapRelation->rd_rel->relowner,
+ save_sec_context | SECURITY_RESTRICTED_OPERATION);
+ save_nestlevel = NewGUCNestLevel();
/*
* Call the access method's build procedure
PointerGetDatum(indexInfo)));
Assert(PointerIsValid(stats));
- /* Restore userid */
- SetUserIdAndContext(save_userid, save_secdefcxt);
+ /* Roll back any GUC changes executed by index functions */
+ AtEOXact_GUC(false, save_nestlevel);
+
+ /* Restore userid and security context */
+ SetUserIdAndSecContext(save_userid, save_sec_context);
/*
* Update heap and index pg_class rows
IndexVacuumInfo ivinfo;
v_i_state state;
Oid save_userid;
- bool save_secdefcxt;
+ int save_sec_context;
+ int save_nestlevel;
/* Open and lock the parent heap relation */
heapRelation = heap_open(heapId, ShareUpdateExclusiveLock);
indexInfo->ii_Concurrent = true;
/*
- * Switch to the table owner's userid, so that any index functions are
- * run as that user.
+ * Switch to the table owner's userid, so that any index functions are run
+ * as that user. Also lock down security-restricted operations and
+ * arrange to make GUC variable changes local to this command.
*/
- GetUserIdAndContext(&save_userid, &save_secdefcxt);
- SetUserIdAndContext(heapRelation->rd_rel->relowner, true);
+ GetUserIdAndSecContext(&save_userid, &save_sec_context);
+ SetUserIdAndSecContext(heapRelation->rd_rel->relowner,
+ save_sec_context | SECURITY_RESTRICTED_OPERATION);
+ save_nestlevel = NewGUCNestLevel();
/*
* Scan the index and gather up all the TIDs into a tuplesort object.
"validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples",
state.htups, state.itups, state.tups_inserted);
- /* Restore userid */
- SetUserIdAndContext(save_userid, save_secdefcxt);
+ /* Roll back any GUC changes executed by index functions */
+ AtEOXact_GUC(false, save_nestlevel);
+
+ /* Restore userid and security context */
+ SetUserIdAndSecContext(save_userid, save_sec_context);
/* Close rels, but keep locks */
index_close(indexRelation, NoLock);
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.101.2.2 2009/05/19 08:30:18 heikki Exp $
+ * $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.101.2.3 2009/12/09 21:58:28 tgl Exp $
*
*-------------------------------------------------------------------------
*/
#include "pgstat.h"
#include "utils/acl.h"
#include "utils/datum.h"
+#include "utils/guc.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
#include "utils/syscache.h"
totaldeadrows;
HeapTuple *rows;
Oid save_userid;
- bool save_secdefcxt;
+ int save_sec_context;
+ int save_nestlevel;
if (vacstmt->verbose)
elevel = INFO;
RelationGetRelationName(onerel))));
/*
- * Switch to the table owner's userid, so that any index functions are
- * run as that user.
+ * Switch to the table owner's userid, so that any index functions are run
+ * as that user. Also lock down security-restricted operations and
+ * arrange to make GUC variable changes local to this command.
*/
- GetUserIdAndContext(&save_userid, &save_secdefcxt);
- SetUserIdAndContext(onerel->rd_rel->relowner, true);
+ GetUserIdAndSecContext(&save_userid, &save_sec_context);
+ SetUserIdAndSecContext(onerel->rd_rel->relowner,
+ save_sec_context | SECURITY_RESTRICTED_OPERATION);
+ save_nestlevel = NewGUCNestLevel();
/*
* Determine which columns to analyze
*/
relation_close(onerel, NoLock);
- /* Restore userid */
- SetUserIdAndContext(save_userid, save_secdefcxt);
+ /* Roll back any GUC changes executed by index functions */
+ AtEOXact_GUC(false, save_nestlevel);
+
+ /* Restore userid and security context */
+ SetUserIdAndSecContext(save_userid, save_sec_context);
}
/*
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.41.2.1 2008/01/03 21:23:45 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.41.2.2 2009/12/09 21:58:28 tgl Exp $
*
*-------------------------------------------------------------------------
*/
ListCell *parsetree_item;
Oid owner_uid;
Oid saved_uid;
- bool saved_secdefcxt;
+ int save_sec_context;
AclResult aclresult;
- GetUserIdAndContext(&saved_uid, &saved_secdefcxt);
+ GetUserIdAndSecContext(&saved_uid, &save_sec_context);
/*
* Who is supposed to own the new schema?
* of error, transaction abort will clean things up.)
*/
if (saved_uid != owner_uid)
- SetUserIdAndContext(owner_uid, true);
+ SetUserIdAndSecContext(owner_uid,
+ save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
/* Create the schema's namespace */
namespaceId = NamespaceCreate(schemaName, owner_uid);
/* Reset search path to normal state */
PopSpecialNamespace(namespaceId);
- /* Reset current user */
- SetUserIdAndContext(saved_uid, saved_secdefcxt);
+ /* Reset current user and security context */
+ SetUserIdAndSecContext(saved_uid, save_sec_context);
}
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/commands/tablecmds.c,v 1.206.2.7 2008/10/07 11:15:54 heikki Exp $
+ * $PostgreSQL: pgsql/src/backend/commands/tablecmds.c,v 1.206.2.8 2009/12/09 21:58:28 tgl Exp $
*
*-------------------------------------------------------------------------
*/
(errcode(ERRCODE_INVALID_TABLE_DEFINITION),
errmsg("ON COMMIT can only be used on temporary tables")));
+ /*
+ * Security check: disallow creating temp tables from security-restricted
+ * code. This is needed because calling code might not expect untrusted
+ * tables to appear in pg_temp at the front of its search path.
+ */
+ if (stmt->relation->istemp && InSecurityRestrictedOperation())
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("cannot create temporary table within security-restricted operation")));
+
/*
* Look up the namespace in which we are supposed to create the relation.
* Check we have permission to create there. Skip check if bootstrapping,
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/commands/vacuum.c,v 1.342.2.7 2009/11/10 18:00:57 alvherre Exp $
+ * $PostgreSQL: pgsql/src/backend/commands/vacuum.c,v 1.342.2.8 2009/12/09 21:58:29 tgl Exp $
*
*-------------------------------------------------------------------------
*/
#include "utils/builtins.h"
#include "utils/flatfiles.h"
#include "utils/fmgroids.h"
+#include "utils/guc.h"
#include "utils/inval.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
LockRelId onerelid;
Oid toast_relid;
Oid save_userid;
- bool save_secdefcxt;
+ int save_sec_context;
+ int save_nestlevel;
bool heldoff;
/* Begin a transaction for vacuuming this relation */
toast_relid = onerel->rd_rel->reltoastrelid;
/*
- * Switch to the table owner's userid, so that any index functions are
- * run as that user. (This is unnecessary, but harmless, for lazy
- * VACUUM.)
+ * Switch to the table owner's userid, so that any index functions are run
+ * as that user. Also lock down security-restricted operations and
+ * arrange to make GUC variable changes local to this command.
+ * (This is unnecessary, but harmless, for lazy VACUUM.)
*/
- GetUserIdAndContext(&save_userid, &save_secdefcxt);
- SetUserIdAndContext(onerel->rd_rel->relowner, true);
+ GetUserIdAndSecContext(&save_userid, &save_sec_context);
+ SetUserIdAndSecContext(onerel->rd_rel->relowner,
+ save_sec_context | SECURITY_RESTRICTED_OPERATION);
+ save_nestlevel = NewGUCNestLevel();
/*
* Tell the cache replacement strategy that vacuum is causing all
StrategyHintVacuum(false);
- /* Restore userid */
- SetUserIdAndContext(save_userid, save_secdefcxt);
+ /* Roll back any GUC changes executed by index functions */
+ AtEOXact_GUC(false, save_nestlevel);
+
+ /* Restore userid and security context */
+ SetUserIdAndSecContext(save_userid, save_sec_context);
/* all done with this class, but hold lock until commit */
relation_close(onerel, NoLock);
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/executor/execMain.c,v 1.280.2.3 2008/08/08 17:01:26 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/executor/execMain.c,v 1.280.2.4 2009/12/09 21:58:29 tgl Exp $
*
*-------------------------------------------------------------------------
*/
TupleDesc tupdesc;
DR_intorel *myState;
+ /*
+ * XXX This code needs to be kept in sync with DefineRelation().
+ * Maybe we should try to use that function instead.
+ */
+
/*
* Check consistency of arguments
*/
(errcode(ERRCODE_INVALID_TABLE_DEFINITION),
errmsg("ON COMMIT can only be used on temporary tables")));
+ /*
+ * Security check: disallow creating temp tables from security-restricted
+ * code. This is needed because calling code might not expect untrusted
+ * tables to appear in pg_temp at the front of its search path.
+ */
+ if (parseTree->into->istemp && InSecurityRestrictedOperation())
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("cannot create temporary table within security-restricted operation")));
+
/*
* Find namespace to create in, check its permissions
*/
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/tcop/utility.c,v 1.269 2006/10/04 00:29:58 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/tcop/utility.c,v 1.269.2.1 2009/12/09 21:58:29 tgl Exp $
*
*-------------------------------------------------------------------------
*/
}
+/*
+ * CheckRestrictedOperation: throw error for hazardous command if we're
+ * inside a security restriction context.
+ *
+ * This is needed to protect session-local state for which there is not any
+ * better-defined protection mechanism, such as ownership.
+ */
+static void
+CheckRestrictedOperation(const char *cmdname)
+{
+ if (InSecurityRestrictedOperation())
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ /* translator: %s is name of a SQL command, eg PREPARE */
+ errmsg("cannot execute %s within security-restricted operation",
+ cmdname)));
+}
+
+
/*
* ProcessUtility
* general utility function invoker
{
ClosePortalStmt *stmt = (ClosePortalStmt *) parsetree;
+ CheckRestrictedOperation("CLOSE");
PerformPortalClose(stmt->portalname);
}
break;
break;
case T_PrepareStmt:
+ CheckRestrictedOperation("PREPARE");
PrepareQuery((PrepareStmt *) parsetree);
break;
break;
case T_DeallocateStmt:
+ CheckRestrictedOperation("DEALLOCATE");
DeallocateQuery((DeallocateStmt *) parsetree);
break;
{
ListenStmt *stmt = (ListenStmt *) parsetree;
+ CheckRestrictedOperation("LISTEN");
Async_Listen(stmt->relation->relname);
}
break;
{
UnlistenStmt *stmt = (UnlistenStmt *) parsetree;
+ CheckRestrictedOperation("UNLISTEN");
Async_Unlisten(stmt->relation->relname);
}
break;
*
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
*
- * $PostgreSQL: pgsql/src/backend/utils/adt/ri_triggers.c,v 1.89.2.2 2008/01/03 21:23:45 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/adt/ri_triggers.c,v 1.89.2.3 2009/12/09 21:58:29 tgl Exp $
*
* ----------
*/
void *qplan;
Relation query_rel;
Oid save_userid;
- bool save_secdefcxt;
+ int save_sec_context;
/*
* The query is always run against the FK table except when this is an
query_rel = fk_rel;
/* Switch to proper UID to perform check as */
- GetUserIdAndContext(&save_userid, &save_secdefcxt);
- SetUserIdAndContext(RelationGetForm(query_rel)->relowner, true);
+ GetUserIdAndSecContext(&save_userid, &save_sec_context);
+ SetUserIdAndSecContext(RelationGetForm(query_rel)->relowner,
+ save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
/* Create the plan */
qplan = SPI_prepare(querystr, nargs, argtypes);
if (qplan == NULL)
elog(ERROR, "SPI_prepare returned %d for %s", SPI_result, querystr);
- /* Restore UID */
- SetUserIdAndContext(save_userid, save_secdefcxt);
+ /* Restore UID and security context */
+ SetUserIdAndSecContext(save_userid, save_sec_context);
/* Save the plan if requested */
if (cache_plan)
int limit;
int spi_result;
Oid save_userid;
- bool save_secdefcxt;
+ int save_sec_context;
Datum vals[RI_MAX_NUMKEYS * 2];
char nulls[RI_MAX_NUMKEYS * 2];
limit = (expect_OK == SPI_OK_SELECT) ? 1 : 0;
/* Switch to proper UID to perform check as */
- GetUserIdAndContext(&save_userid, &save_secdefcxt);
- SetUserIdAndContext(RelationGetForm(query_rel)->relowner, true);
+ GetUserIdAndSecContext(&save_userid, &save_sec_context);
+ SetUserIdAndSecContext(RelationGetForm(query_rel)->relowner,
+ save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
/* Finally we can run the query. */
spi_result = SPI_execute_snapshot(qplan,
test_snapshot, crosscheck_snapshot,
false, false, limit);
- /* Restore UID */
- SetUserIdAndContext(save_userid, save_secdefcxt);
+ /* Restore UID and security context */
+ SetUserIdAndSecContext(save_userid, save_sec_context);
/* Check result */
if (spi_result < 0)
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/fmgr/fmgr.c,v 1.102.2.3 2009/01/07 20:39:15 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/fmgr/fmgr.c,v 1.102.2.4 2009/12/09 21:58:29 tgl Exp $
*
*-------------------------------------------------------------------------
*/
FmgrInfo *save_flinfo;
struct fmgr_security_definer_cache *volatile fcache;
Oid save_userid;
- bool save_secdefcxt;
+ int save_sec_context;
HeapTuple tuple;
if (!fcinfo->flinfo->fn_extra)
else
fcache = fcinfo->flinfo->fn_extra;
- GetUserIdAndContext(&save_userid, &save_secdefcxt);
- SetUserIdAndContext(fcache->userid, true);
+ GetUserIdAndSecContext(&save_userid, &save_sec_context);
+ SetUserIdAndSecContext(fcache->userid,
+ save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
/*
* We don't need to restore the userid settings on error, because the
fcinfo->flinfo = save_flinfo;
- SetUserIdAndContext(save_userid, save_secdefcxt);
+ SetUserIdAndSecContext(save_userid, save_sec_context);
return result;
}
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/init/miscinit.c,v 1.159.2.1 2008/01/03 21:23:45 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/init/miscinit.c,v 1.159.2.2 2009/12/09 21:58:29 tgl Exp $
*
*-------------------------------------------------------------------------
*/
* be the same as OuterUserId, but it changes during calls to SECURITY
* DEFINER functions, as well as locally in some specialized commands.
*
- * SecurityDefinerContext is TRUE if we are within a SECURITY DEFINER function
- * or another context that temporarily changes CurrentUserId.
+ * SecurityRestrictionContext holds flags indicating reason(s) for changing
+ * CurrentUserId. In some cases we need to lock down operations that are
+ * not directly controlled by privilege settings, and this provides a
+ * convenient way to do it.
* ----------------------------------------------------------------
*/
static Oid AuthenticatedUserId = InvalidOid;
static bool AuthenticatedUserIsSuperuser = false;
static bool SessionUserIsSuperuser = false;
-static bool SecurityDefinerContext = false;
+static int SecurityRestrictionContext = 0;
/* We also remember if a SET ROLE is currently active */
static bool SetRoleIsActive = false;
/*
* GetUserId - get the current effective user ID.
*
- * Note: there's no SetUserId() anymore; use SetUserIdAndContext().
+ * Note: there's no SetUserId() anymore; use SetUserIdAndSecContext().
*/
Oid
GetUserId(void)
static void
SetOuterUserId(Oid userid)
{
- AssertState(!SecurityDefinerContext);
+ AssertState(SecurityRestrictionContext == 0);
AssertArg(OidIsValid(userid));
OuterUserId = userid;
static void
SetSessionUserId(Oid userid, bool is_superuser)
{
- AssertState(!SecurityDefinerContext);
+ AssertState(SecurityRestrictionContext == 0);
AssertArg(OidIsValid(userid));
SessionUserId = userid;
SessionUserIsSuperuser = is_superuser;
/*
- * GetUserIdAndContext/SetUserIdAndContext - get/set the current user ID
- * and the SecurityDefinerContext flag.
+ * GetUserIdAndSecContext/SetUserIdAndSecContext - get/set the current user ID
+ * and the SecurityRestrictionContext flags.
*
- * Unlike GetUserId, GetUserIdAndContext does *not* Assert that the current
- * value of CurrentUserId is valid; nor does SetUserIdAndContext require
+ * Currently there are two valid bits in SecurityRestrictionContext:
+ *
+ * SECURITY_LOCAL_USERID_CHANGE indicates that we are inside an operation
+ * that is temporarily changing CurrentUserId via these functions. This is
+ * needed to indicate that the actual value of CurrentUserId is not in sync
+ * with guc.c's internal state, so SET ROLE has to be disallowed.
+ *
+ * SECURITY_RESTRICTED_OPERATION indicates that we are inside an operation
+ * that does not wish to trust called user-defined functions at all. This
+ * bit prevents not only SET ROLE, but various other changes of session state
+ * that normally is unprotected but might possibly be used to subvert the
+ * calling session later. An example is replacing an existing prepared
+ * statement with new code, which will then be executed with the outer
+ * session's permissions when the prepared statement is next used. Since
+ * these restrictions are fairly draconian, we apply them only in contexts
+ * where the called functions are really supposed to be side-effect-free
+ * anyway, such as VACUUM/ANALYZE/REINDEX.
+ *
+ * Unlike GetUserId, GetUserIdAndSecContext does *not* Assert that the current
+ * value of CurrentUserId is valid; nor does SetUserIdAndSecContext require
* the new value to be valid. In fact, these routines had better not
* ever throw any kind of error. This is because they are used by
* StartTransaction and AbortTransaction to save/restore the settings,
* through AbortTransaction without asserting in case InitPostgres fails.
*/
void
-GetUserIdAndContext(Oid *userid, bool *sec_def_context)
+GetUserIdAndSecContext(Oid *userid, int *sec_context)
{
*userid = CurrentUserId;
- *sec_def_context = SecurityDefinerContext;
+ *sec_context = SecurityRestrictionContext;
}
void
-SetUserIdAndContext(Oid userid, bool sec_def_context)
+SetUserIdAndSecContext(Oid userid, int sec_context)
{
CurrentUserId = userid;
- SecurityDefinerContext = sec_def_context;
+ SecurityRestrictionContext = sec_context;
}
/*
- * InSecurityDefinerContext - are we inside a SECURITY DEFINER context?
+ * InLocalUserIdChange - are we inside a local change of CurrentUserId?
*/
bool
-InSecurityDefinerContext(void)
+InLocalUserIdChange(void)
{
- return SecurityDefinerContext;
+ return (SecurityRestrictionContext & SECURITY_LOCAL_USERID_CHANGE) != 0;
+}
+
+/*
+ * InSecurityRestrictedOperation - are we inside a security-restricted command?
+ */
+bool
+InSecurityRestrictedOperation(void)
+{
+ return (SecurityRestrictionContext & SECURITY_RESTRICTED_OPERATION) != 0;
+}
+
+
+/*
+ * These are obsolete versions of Get/SetUserIdAndSecContext that are
+ * only provided for bug-compatibility with some rather dubious code in
+ * pljava. We allow the userid to be set, but only when not inside a
+ * security restriction context.
+ */
+void
+GetUserIdAndContext(Oid *userid, bool *sec_def_context)
+{
+ *userid = CurrentUserId;
+ *sec_def_context = InLocalUserIdChange();
+}
+
+void
+SetUserIdAndContext(Oid userid, bool sec_def_context)
+{
+ /* We throw the same error SET ROLE would. */
+ if (InSecurityRestrictedOperation())
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("cannot set parameter \"%s\" within security-restricted operation",
+ "role")));
+ CurrentUserId = userid;
+ if (sec_def_context)
+ SecurityRestrictionContext |= SECURITY_LOCAL_USERID_CHANGE;
+ else
+ SecurityRestrictionContext &= ~SECURITY_LOCAL_USERID_CHANGE;
}
* Written by Peter Eisentraut <peter_e@gmx.net>.
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.360.2.4 2009/09/03 22:08:32 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.360.2.5 2009/12/09 21:58:29 tgl Exp $
*
*--------------------------------------------------------------------
*/
{"role", PGC_USERSET, UNGROUPED,
gettext_noop("Sets the current role."),
NULL,
- GUC_IS_NAME | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE | GUC_NOT_WHILE_SEC_DEF
+ GUC_IS_NAME | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE | GUC_NOT_WHILE_SEC_REST
},
&role_string,
"none", assign_role, show_role
{"session_authorization", PGC_USERSET, UNGROUPED,
gettext_noop("Sets the session user name."),
NULL,
- GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE | GUC_NOT_WHILE_SEC_DEF
+ GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE | GUC_NOT_WHILE_SEC_REST
},
&session_authorization_string,
NULL, assign_session_authorization, show_session_authorization
static bool reporting_enabled; /* TRUE to enable GUC_REPORT */
+static int GUCNestLevel = 0; /* 1 when in main transaction */
+
static int guc_var_compare(const void *a, const void *b);
static int guc_name_compare(const char *namea, const char *nameb);
static void
push_old_value(struct config_generic * gconf)
{
- int my_level = GetCurrentTransactionNestLevel();
GucStack *stack;
/* If we're not inside a transaction, do nothing */
- if (my_level == 0)
+ if (GUCNestLevel == 0)
return;
for (;;)
{
/* Done if we already pushed it at this nesting depth */
- if (gconf->stack && gconf->stack->nest_level >= my_level)
+ if (gconf->stack && gconf->stack->nest_level >= GUCNestLevel)
return;
/*
}
/*
- * Do GUC processing at transaction or subtransaction commit or abort.
+ * Do GUC processing at main transaction start.
+ */
+void
+AtStart_GUC(void)
+{
+ /*
+ * The nest level should be 0 between transactions; if it isn't,
+ * somebody didn't call AtEOXact_GUC, or called it with the wrong
+ * nestLevel. We throw a warning but make no other effort to clean up.
+ */
+ if (GUCNestLevel != 0)
+ elog(WARNING, "GUC nest level = %d at transaction start",
+ GUCNestLevel);
+ GUCNestLevel = 1;
+}
+
+/*
+ * Enter a new nesting level for GUC values. This is called at subtransaction
+ * start and when entering a function that has proconfig settings. NOTE that
+ * we must not risk error here, else subtransaction start will be unhappy.
+ */
+int
+NewGUCNestLevel(void)
+{
+ return ++GUCNestLevel;
+}
+
+/*
+ * Do GUC processing at transaction or subtransaction commit or abort, or
+ * when exiting a function that has proconfig settings. (The name is thus
+ * a bit of a misnomer; perhaps it should be ExitGUCNestLevel or some such.)
+ * During abort, we discard all GUC settings that were applied at nesting
+ * levels >= nestLevel. nestLevel == 1 corresponds to the main transaction.
*/
void
-AtEOXact_GUC(bool isCommit, bool isSubXact)
+AtEOXact_GUC(bool isCommit, int nestLevel)
{
- int my_level;
int i;
+ Assert(nestLevel > 0 && nestLevel <= GUCNestLevel);
+
/* Quick exit if nothing's changed in this transaction */
if (!guc_dirty)
+ {
+ GUCNestLevel = nestLevel - 1;
return;
-
- my_level = GetCurrentTransactionNestLevel();
- Assert(isSubXact ? (my_level > 1) : (my_level == 1));
+ }
for (i = 0; i < num_guc_variables; i++)
{
/* Assert that we stacked old value before changing it */
Assert(stack != NULL && (my_status & GUC_HAVE_STACK));
/* However, the last change may have been at an outer xact level */
- if (stack->nest_level < my_level)
+ if (stack->nest_level < nestLevel)
continue;
- Assert(stack->nest_level == my_level);
+ Assert(stack->nest_level == nestLevel);
/*
* We will pop the stack entry. Start by restoring outer xact status
set_string_field(conf, &stack->tentative_val.stringval,
NULL);
/* Don't store tentative value separately after commit */
- if (!isSubXact)
+ if (nestLevel == 1)
set_string_field(conf, &conf->tentative_val, NULL);
break;
}
* If we're now out of all xact levels, forget TENTATIVE status bit;
* there's nothing tentative about the value anymore.
*/
- if (!isSubXact)
+ if (nestLevel == 1)
{
Assert(gconf->stack == NULL);
gconf->status = 0;
* that all outer transaction levels will have stacked values to deal
* with.)
*/
- if (!isSubXact)
+ if (nestLevel == 1)
guc_dirty = false;
+
+ /* Update nesting level */
+ GUCNestLevel = nestLevel - 1;
}
}
/*
- * Disallow changing GUC_NOT_WHILE_SEC_DEF values if we are inside a
- * security-definer function. We can reject this regardless of
- * the context or source, mainly because sources that it might be
+ * Disallow changing GUC_NOT_WHILE_SEC_REST values if we are inside a
+ * security restriction context. We can reject this regardless of
+ * the GUC context or source, mainly because sources that it might be
* reasonable to override for won't be seen while inside a function.
*
- * Note: variables marked GUC_NOT_WHILE_SEC_DEF should probably be marked
+ * Note: variables marked GUC_NOT_WHILE_SEC_REST should usually be marked
* GUC_NO_RESET_ALL as well, because ResetAllOptions() doesn't check this.
+ * An exception might be made if the reset value is assumed to be "safe".
*
* Note: this flag is currently used for "session_authorization" and
- * "role". We need to prohibit this because when we exit the sec-def
- * context, GUC won't be notified, leaving things out of sync.
- *
- * XXX it would be nice to allow these cases in future, with the behavior
- * being that the SET's effects end when the security definer context is
- * exited.
+ * "role". We need to prohibit changing these inside a local userid
+ * context because when we exit it, GUC won't be notified, leaving things
+ * out of sync. (This could be fixed by forcing a new GUC nesting level,
+ * but that would change behavior in possibly-undesirable ways.) Also,
+ * we prohibit changing these in a security-restricted operation because
+ * otherwise RESET could be used to regain the session user's privileges.
*/
- if ((record->flags & GUC_NOT_WHILE_SEC_DEF) && InSecurityDefinerContext())
+ if (record->flags & GUC_NOT_WHILE_SEC_REST)
{
- ereport(elevel,
- (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- errmsg("cannot set parameter \"%s\" within security-definer function",
- name)));
- return false;
+ if (InLocalUserIdChange())
+ {
+ /*
+ * Phrasing of this error message is historical, but it's the
+ * most common case.
+ */
+ ereport(elevel,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("cannot set parameter \"%s\" within security-definer function",
+ name)));
+ return false;
+ }
+ if (InSecurityRestrictedOperation())
+ {
+ ereport(elevel,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("cannot set parameter \"%s\" within security-restricted operation",
+ name)));
+ return false;
+ }
}
/*
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/miscadmin.h,v 1.190.2.1 2008/01/03 21:23:45 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/miscadmin.h,v 1.190.2.2 2009/12/09 21:58:29 tgl Exp $
*
* NOTES
* some of the information in this file should be moved to other files.
* POSTGRES directory path definitions. *
*****************************************************************************/
+/* flags to be OR'd to form sec_context */
+#define SECURITY_LOCAL_USERID_CHANGE 0x0001
+#define SECURITY_RESTRICTED_OPERATION 0x0002
+
extern char *DatabasePath;
/* now in utils/init/miscinit.c */
extern Oid GetUserId(void);
extern Oid GetOuterUserId(void);
extern Oid GetSessionUserId(void);
+extern void GetUserIdAndSecContext(Oid *userid, int *sec_context);
+extern void SetUserIdAndSecContext(Oid userid, int sec_context);
+extern bool InLocalUserIdChange(void);
+extern bool InSecurityRestrictedOperation(void);
extern void GetUserIdAndContext(Oid *userid, bool *sec_def_context);
extern void SetUserIdAndContext(Oid userid, bool sec_def_context);
-extern bool InSecurityDefinerContext(void);
extern void InitializeSessionUserId(const char *rolename);
extern void InitializeSessionUserIdStandalone(void);
extern void SetSessionAuthorization(Oid userid, bool is_superuser);
* Copyright (c) 2000-2006, PostgreSQL Global Development Group
* Written by Peter Eisentraut <peter_e@gmx.net>.
*
- * $PostgreSQL: pgsql/src/include/utils/guc.h,v 1.76 2006/10/19 18:32:47 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/utils/guc.h,v 1.76.2.1 2009/12/09 21:58:30 tgl Exp $
*--------------------------------------------------------------------
*/
#ifndef GUC_H
extern void InitializeGUCOptions(void);
extern bool SelectConfigFiles(const char *userDoption, const char *progname);
extern void ResetAllOptions(void);
-extern void AtEOXact_GUC(bool isCommit, bool isSubXact);
+extern void AtStart_GUC(void);
+extern int NewGUCNestLevel(void);
+extern void AtEOXact_GUC(bool isCommit, int nestLevel);
extern void BeginReportingGUCOptions(void);
extern void ParseLongOption(const char *string, char **name, char **value);
extern bool set_config_option(const char *name, const char *value,
*
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
*
- * $PostgreSQL: pgsql/src/include/utils/guc_tables.h,v 1.29.2.1 2009/09/03 22:08:34 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/utils/guc_tables.h,v 1.29.2.2 2009/12/09 21:58:30 tgl Exp $
*
*-------------------------------------------------------------------------
*/
#define GUC_UNIT_MIN 0x4000 /* value is in minutes */
#define GUC_UNIT_TIME 0x7000 /* mask for MS, S, MIN */
-#define GUC_NOT_WHILE_SEC_DEF 0x8000 /* can't change inside sec-def func */
+#define GUC_NOT_WHILE_SEC_REST 0x8000 /* can't set if security restricted */
/* bit values in status field */
#define GUC_HAVE_TENTATIVE 0x0001 /* tentative value is defined */
projects / thirdparty / postgresql.git / commitdiff
