From fbe9dd7d9fb4674cf2ca25b6cd4f05556c201d89 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Wed, 27 Nov 2019 16:32:50 +0100 Subject: [PATCH v3 1/3] Remove any-user DML capability from allow_system_table_mods Previously, allow_system_table_mods allowed a non-superuser to do DML on a system table without further permission checks. This has been removed, as it was quite inconsistent with the rest of the meaning of this setting. (Since allow_system_table_mods was previously only accessible with a server restart, it is unlikely that anyone was using this possibility.) Discussion: https://www.postgresql.org/message-id/flat/8b00ea5e-28a7-88ba-e848-21528b632354%402ndquadrant.com --- src/backend/catalog/aclchk.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index bed10f9409..ea5666ebb8 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -3851,7 +3851,7 @@ pg_class_aclmask(Oid table_oid, Oid roleid, /* * Deny anyone permission to update a system catalog unless - * pg_authid.rolsuper is set. Also allow it if allowSystemTableMods. + * pg_authid.rolsuper is set. * * As of 7.4 we have some updatable system views; those shouldn't be * protected in this way. Assume the view rules can take care of @@ -3860,8 +3860,7 @@ pg_class_aclmask(Oid table_oid, Oid roleid, if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE)) && IsSystemClass(table_oid, classForm) && classForm->relkind != RELKIND_VIEW && - !superuser_arg(roleid) && - !allowSystemTableMods) + !superuser_arg(roleid)) { #ifdef ACLDEBUG elog(DEBUG2, "permission denied for system catalog update"); base-commit: ca266a069a20c32a8f0a1df982a5a67d9483bcb3 -- 2.24.0