Skip to content

Commit df7fe9e

Browse files
peterepetere
committed
Disallow dropping rules on system tables by default
This was previously not covered by allow_system_table_mods, but now it is. The impact in practice is probably low, but this makes it consistent with most other DDL commands. Reviewed-by: Robert Haas <robertmhaas@gmail.com> Discussion: https://www.postgresql.org/message-id/flat/ee9df1af-c0d8-7c82-5be7-39ce4e3b0a9d%402ndquadrant.com
1 parent 8c6d30f commit df7fe9e

File tree

3 files changed

+27
-2
lines changed

3 files changed

+27
-2
lines changed

src/backend/rewrite/rewriteRemove.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
#include "access/htup_details.h"
1919
#include "access/sysattr.h"
2020
#include "access/table.h"
21+
#include "catalog/catalog.h"
2122
#include "catalog/dependency.h"
2223
#include "catalog/indexing.h"
2324
#include "catalog/namespace.h"
@@ -28,6 +29,7 @@
2829
#include "utils/fmgroids.h"
2930
#include "utils/inval.h"
3031
#include "utils/lsyscache.h"
32+
#include "utils/rel.h"
3133
#include "utils/syscache.h"
3234

3335
/*
@@ -72,6 +74,12 @@ RemoveRewriteRuleById(Oid ruleOid)
7274
eventRelationOid = ((Form_pg_rewrite) GETSTRUCT(tuple))->ev_class;
7375
event_relation = table_open(eventRelationOid, AccessExclusiveLock);
7476

77+
if (!allowSystemTableMods && IsSystemRelation(event_relation))
78+
ereport(ERROR,
79+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
80+
errmsg("permission denied: \"%s\" is a system catalog",
81+
RelationGetRelationName(event_relation))));
82+
7583
/*
7684
* Now delete the pg_rewrite tuple for the rule
7785
*/

src/test/modules/unsafe_tests/expected/alter_system_table.out

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,16 @@ CREATE RULE r1 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
8181
ERROR: permission denied: "pg_description" is a system catalog
8282
ALTER RULE r1 ON pg_description RENAME TO r2;
8383
ERROR: permission denied: "pg_description" is a system catalog
84-
--DROP RULE r2 ON pg_description;
84+
-- now make one to test dropping:
85+
SET allow_system_table_mods TO on;
86+
CREATE RULE r2 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
87+
RESET allow_system_table_mods;
88+
DROP RULE r2 ON pg_description;
89+
ERROR: permission denied: "pg_description" is a system catalog
90+
-- cleanup:
91+
SET allow_system_table_mods TO on;
92+
DROP RULE r2 ON pg_description;
93+
RESET allow_system_table_mods;
8594
SET allow_system_table_mods = on;
8695
-- create new table in pg_catalog
8796
BEGIN;

src/test/modules/unsafe_tests/sql/alter_system_table.sql

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,15 @@ ALTER TRIGGER t1 ON pg_description RENAME TO t2;
7979
-- rules
8080
CREATE RULE r1 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
8181
ALTER RULE r1 ON pg_description RENAME TO r2;
82-
--DROP RULE r2 ON pg_description;
82+
-- now make one to test dropping:
83+
SET allow_system_table_mods TO on;
84+
CREATE RULE r2 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
85+
RESET allow_system_table_mods;
86+
DROP RULE r2 ON pg_description;
87+
-- cleanup:
88+
SET allow_system_table_mods TO on;
89+
DROP RULE r2 ON pg_description;
90+
RESET allow_system_table_mods;
8391

8492

8593
SET allow_system_table_mods = on;

0 commit comments

Comments
 (0)