From: | Vaishnavi Prabakaran <vaishnaviprabakaran(at)gmail(dot)com> |
---|---|
To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Subject: | Re: Simplify ACL handling for large objects and removal of superuser() checks |
Date: | 2017-09-19 04:24:55 |
Message-ID: | CAOoUkxSnENPbSzmVjsnC2Na-qpwNQ6wJTvqQW1uO8_cxfLghxA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi,
On Mon, Aug 14, 2017, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> wrote:
>Attached is a set of 3 patches:
I tried to review the patch and firstly patch applies cleanly without any
noise.
>- 0001 removes ALLOW_DANGEROUS_LO_FUNCTIONS
I think it is better to remove "ALLOW_DANGEROUS_LO_FUNCTIONS" from
pg_config_manual.h as well.
>- 0002 replaces the superuser checks with GRANT permissions
>- 0003 refactors the LO code to improve the ACL handling. Note that
>this patch introduces a more debatable change: now there is no
>distinction between INV_WRITE and INV_WRITE|INV_READ, as when
>INV_WRITE is used INV_READ is implied. The patch as proposed does a
>complete split of both permissions to give a system more natural and
>more flexible. The current behavior is documented.
>@@ -163,22 +150,16 @@ lo_read(int fd, char *buf, int len)
> ....
> + if ((lobj->flags & IFS_RDLOCK) == 0)
>+ ereport(ERROR,
>+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
>+ errmsg("large object descriptor %d was not opened for reading",
>+ fd)));
Do we ever reach this error? Because per my understanding
1) if the application didn't call lo_open before lo_read, then file
descriptor validation in the beginning of this function should capture it.
2) if the application called lo_open only with write mode should be able to
read as well per documentation.
Ok, in the inv_open(), IFS_RDLOCK is set only when explicit READ mode is
requested. So, it causes lo_read failure when large-object is opened in
WRITE mode? I think documented behavior is more appropriate and post ACL
checks for select and update permissions in inv_open(), IFS_RDLOCK flag
should be set regardless of mode specified.
Thanks & Regards,
Vaishnavi,
Fujitsu Australia.
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2017-09-19 04:30:14 | Re: Rewriting the test of pg_upgrade as a TAP test |
Previous Message | Andres Freund | 2017-09-19 04:07:03 | Re: pgsql: Add test for postmaster crash restarts. |