Skip to content

Commit e79350f

Browse files
sfrostsfrost
committed
Remove explicit superuser checks in favor of ACLs
This removes the explicit superuser checks in the various file-access functions in the backend, specifically pg_ls_dir(), pg_read_file(), pg_read_binary_file(), and pg_stat_file(). Instead, EXECUTE is REVOKE'd from public for these, meaning that only a superuser is able to run them by default, but access to them can be GRANT'd to other roles. Reviewed-By: Michael Paquier Discussion: https://postgr.es/m/20171231191939.GR2416%40tamriel.snowman.net
1 parent 94c1f9b commit e79350f

File tree

2 files changed

+14
-20
lines changed

2 files changed

+14
-20
lines changed

src/backend/catalog/system_views.sql

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1156,6 +1156,20 @@ REVOKE EXECUTE ON FUNCTION lo_export(oid, text) FROM public;
11561156
REVOKE EXECUTE ON FUNCTION pg_ls_logdir() FROM public;
11571157
REVOKE EXECUTE ON FUNCTION pg_ls_waldir() FROM public;
11581158

1159+
REVOKE EXECUTE ON FUNCTION pg_read_file(text) FROM public;
1160+
REVOKE EXECUTE ON FUNCTION pg_read_file(text,bigint,bigint) FROM public;
1161+
REVOKE EXECUTE ON FUNCTION pg_read_file(text,bigint,bigint,boolean) FROM public;
1162+
1163+
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text) FROM public;
1164+
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint) FROM public;
1165+
REVOKE EXECUTE ON FUNCTION pg_read_binary_file(text,bigint,bigint,boolean) FROM public;
1166+
1167+
REVOKE EXECUTE ON FUNCTION pg_stat_file(text) FROM public;
1168+
REVOKE EXECUTE ON FUNCTION pg_stat_file(text,boolean) FROM public;
1169+
1170+
REVOKE EXECUTE ON FUNCTION pg_ls_dir(text) FROM public;
1171+
REVOKE EXECUTE ON FUNCTION pg_ls_dir(text,boolean,boolean) FROM public;
1172+
11591173
--
11601174
-- We also set up some things as accessible to standard roles.
11611175
--

src/backend/utils/adt/genfile.c

Lines changed: 0 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -195,11 +195,6 @@ pg_read_file(PG_FUNCTION_ARGS)
195195
char *filename;
196196
text *result;
197197

198-
if (!superuser())
199-
ereport(ERROR,
200-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
201-
(errmsg("must be superuser to read files"))));
202-
203198
/* handle optional arguments */
204199
if (PG_NARGS() >= 3)
205200
{
@@ -236,11 +231,6 @@ pg_read_binary_file(PG_FUNCTION_ARGS)
236231
char *filename;
237232
bytea *result;
238233

239-
if (!superuser())
240-
ereport(ERROR,
241-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
242-
(errmsg("must be superuser to read files"))));
243-
244234
/* handle optional arguments */
245235
if (PG_NARGS() >= 3)
246236
{
@@ -313,11 +303,6 @@ pg_stat_file(PG_FUNCTION_ARGS)
313303
TupleDesc tupdesc;
314304
bool missing_ok = false;
315305

316-
if (!superuser())
317-
ereport(ERROR,
318-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
319-
(errmsg("must be superuser to get file information"))));
320-
321306
/* check the optional argument */
322307
if (PG_NARGS() == 2)
323308
missing_ok = PG_GETARG_BOOL(1);
@@ -399,11 +384,6 @@ pg_ls_dir(PG_FUNCTION_ARGS)
399384
directory_fctx *fctx;
400385
MemoryContext oldcontext;
401386

402-
if (!superuser())
403-
ereport(ERROR,
404-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
405-
(errmsg("must be superuser to get directory listings"))));
406-
407387
if (SRF_IS_FIRSTCALL())
408388
{
409389
bool missing_ok = false;

0 commit comments

Comments
 (0)