Skip site navigation (1) Skip section navigation (2)

Change Ownership Permission Checks

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: pgsql-patches(at)postgresql(dot)org
Subject: Change Ownership Permission Checks
Date: 2005-06-29 16:31:03
Message-ID: 20050629163103.GX24207@ns.snowman.net (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Greetings,

  Attached please find a patch to change how the permissions checking
  for alter-owner is done.  With roles there can be more than one
  'owner' of an object and therefore it becomes sensible to allow
  specific cases of ownership change for non-superusers.

  The permission checks for change-owner follow the alter-rename
  precedent that the new owner must have permission to create the object
  in the schema.

  The roles patch previously applied did not require the role for 
  which a database is being created to have createdb privileges, or for
  the role for which a schema is being created to have create
  privileges on the database (the role doing the creation did have to
  have those privileges though, of course).

  For 'container' type objects this seems reasonable.  'container' type
  objects are unlike others in a few ways, but one of the more notable
  differences for this case is that an owner may be specified as part of
  the create command.

  To support cleaning up the various checks, I also went ahead and
  modified is_member_of_role() to always return true when asked if a
  superuser is in a given role.  This seems reasonable, won't affect
  what's actually seen in the various tables, and allows us to eliminate
  explicit superuser() checks in a number of places.

  I have also reviewed the other superuser() calls in
  src/backend/commands/ and feel pretty comfortable that they're all
  necessary, reasonable, and don't need to be replaced with 
  *_ownercheck or other calls.

  The specific changes which have been changed, by file:
  aggregatecmds.c, alter-owner:
    alter-owner checks:
      User is owner of the to-be-changed object
      User is a member of the new owner's role
      New owner is permitted to create objects in the schema
      Superuser() requirement removed

  conversioncmds.c, rename:
    rename-checks:
      Changed from superuser() or same-roleId to pg_conversion_ownercheck
    alter-owner checks:
      User is owner of the to-be-changed object
      User is a member of the new owner's role
      New owner is permitted to create objects in the schema
      Superuser() requirement removed
    
  dbcommands.c:
    Moved superuser() check to have_createdb_privilege
    Cleaned up permissions checking in createdb and rename
    alter-owner checks:
      User is owner of the database
      User is a member of the new owner's role
      User has createdb privilege

  functioncmds.c:
    alter-owner checks:
      User is owner of the function
      User is a member of the new owner's role
      New owner is permitted to create objects in the schema

  opclasscmds.c:
    alter-owner checks:
      User is owner of the object
      User is a member of the new owner's role
      New owner has permission to create objects in the schema

  operatorcmds.c:
    alter-owner checks:
      User is owner of the object
      User is a member of the new owner's role
      New owner has permission to create objects in the schema

  schemacmds.c:
    Cleaned up create schema identify changing/setting/checking
    (This code was quite different from all the other create functions,
     these changes make it much more closely match createdb)
    alter-owner checks:
      User is owner of the schema
      User is a member of the new owner's role
      User has create privilege on database

  tablecmds.c:
    alter-owner checks:
      User is owner of the object
      User is a member of the new owner's role
      New owner has permission to create objects in the schema

  tablespace.c:
    alter-owner checks:
      User is owner of the tablespace
      User is a member of the new owner's role
      (No create-tablespace permission to check, tablespaces must be
       created by superusers and so alter-owner here really only matters
       if the superuser changed the tablespace owner to a non-superuser
       and then that non-superuser wants to change the ownership to yet
       another user, the other option would be to continue to force
       superuser-only for tablespace owner changes but I'm not sure I
       see the point if the superuser trusts the non-superuser enough to
       give them a tablespace...)

  typecmds.c:
    alter-owner checks:
      User is owner of the object
      User is a member of the new owner's role
      New owner has permission to create objects in the schema

  Many thanks.  As always, comments, questions, concerns, please let me
  know.

  	Thanks again,

		Stephen

In response to

Responses

pgsql-hackers by date

Next:From: Jonah H. HarrisDate: 2005-06-29 16:40:16
Subject: Re: Bytecode and virtual machine
Previous:From: Affan Bin SalmanDate: 2005-06-29 16:21:20
Subject: Re: Implementing SQL/PSM for PG 8.2

pgsql-patches by date

Next:From: Tom LaneDate: 2005-06-29 17:40:20
Subject: Re: [PATCHES] Users/Groups -> Roles
Previous:From: Tom LaneDate: 2005-06-29 14:48:21
Subject: Re: libpq: fix unlikely memory leak

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group