Author: Noah Misch Commit: Noah Misch Rollup of three patches, for easy testing. diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out index 0649b6b..1bcc29b 100644 --- a/contrib/postgres_fdw/expected/postgres_fdw.out +++ b/contrib/postgres_fdw/expected/postgres_fdw.out @@ -8925,7 +8925,7 @@ $d$; -- But creation of user mappings for non-superusers should fail CREATE USER MAPPING FOR public SERVER loopback_nopw; CREATE USER MAPPING FOR CURRENT_USER SERVER loopback_nopw; -CREATE FOREIGN TABLE ft1_nopw ( +CREATE FOREIGN TABLE pg_temp.ft1_nopw ( c1 int NOT NULL, c2 int NOT NULL, c3 text, diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql index 2b525ea..803e288 100644 --- a/contrib/postgres_fdw/sql/postgres_fdw.sql +++ b/contrib/postgres_fdw/sql/postgres_fdw.sql @@ -2595,7 +2595,7 @@ $d$; CREATE USER MAPPING FOR public SERVER loopback_nopw; CREATE USER MAPPING FOR CURRENT_USER SERVER loopback_nopw; -CREATE FOREIGN TABLE ft1_nopw ( +CREATE FOREIGN TABLE pg_temp.ft1_nopw ( c1 int NOT NULL, c2 int NOT NULL, c3 text, diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml index f073fba..550b3d0 100644 --- a/doc/src/sgml/ddl.sgml +++ b/doc/src/sgml/ddl.sgml @@ -2976,20 +2976,18 @@ SELECT 3 OPERATOR(pg_catalog.+) 4; By default, users cannot access any objects in schemas they do not own. To allow that, the owner of the schema must grant the - USAGE privilege on the schema. To allow users - to make use of the objects in the schema, additional privileges - might need to be granted, as appropriate for the object. + USAGE privilege on the schema. By default, everyone + has that privilege on the schema public. To allow + users to make use of the objects in a schema, additional privileges might + need to be granted, as appropriate for the object. - A user can also be allowed to create objects in someone else's - schema. To allow that, the CREATE privilege on - the schema needs to be granted. Note that by default, everyone - has CREATE and USAGE privileges on - the schema - public. This allows all users that are able to - connect to a given database to create objects in its - public schema. + A user can also be allowed to create objects in someone else's schema. To + allow that, the CREATE privilege on the schema needs to + be granted. In databases upgraded from + PostgreSQL 13 or earlier, everyone has that + privilege on the schema public. Some usage patterns call for revoking that privilege: @@ -3062,20 +3060,25 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC; database owner attack. --> Constrain ordinary users to user-private schemas. To implement this, - issue REVOKE CREATE ON SCHEMA public FROM PUBLIC, - and create a schema for each user with the same name as that user. - Recall that the default search path starts - with $user, which resolves to the user name. - Therefore, if each user has a separate schema, they access their own - schemas by default. After adopting this pattern in a database where - untrusted users had already logged in, consider auditing the public - schema for objects named like objects in + first issue REVOKE CREATE ON SCHEMA public FROM + PUBLIC. Then, for every user needing to create non-temporary + objects, create a schema with the same name as that user. Recall that + the default search path starts with $user, which + resolves to the user name. Therefore, if each user has a separate + schema, they access their own schemas by default. After adopting this + pattern in a database where untrusted users had already logged in, + consider auditing the public schema for objects named like objects in schema pg_catalog. This pattern is a secure schema usage pattern unless an untrusted user is the database owner or holds the CREATEROLE privilege, in which case no secure schema usage pattern exists. + If the database originated in an upgrade + from PostgreSQL 13 or earlier, + the REVOKE is essential. Otherwise, the default + configuration follows this pattern; ordinary users can create only + temporary objects until a privileged user furnishes a schema. @@ -3084,10 +3087,10 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC; Remove the public schema from the default search path, by modifying postgresql.conf or by issuing ALTER ROLE ALL SET search_path = - "$user". Everyone retains the ability to create objects in - the public schema, but only qualified names will choose those objects. - While qualified table references are fine, calls to functions in the - public schema will be unsafe or + "$user". Then, grant privileges to create in the public + schema. Only qualified names will choose public schema objects. While + qualified table references are fine, calls to functions in the public + schema will be unsafe or unreliable. If you create functions or extensions in the public schema, use the first pattern instead. Otherwise, like the first pattern, this is secure unless an untrusted user is the database owner @@ -3097,11 +3100,14 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC; - Keep the default. All users access the public schema implicitly. This + Keep the default search path, and grant privileges to create in the + public schema. All users access the public schema implicitly. This simulates the situation where schemas are not available at all, giving a smooth transition from the non-schema-aware world. However, this is never a secure pattern. It is acceptable only when the database has a - single user or a few mutually-trusting users. + single user or a few mutually-trusting users. In databases upgraded + from PostgreSQL 13 or earlier, this is the + default. diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml index 6920f2d..9dc8ab2 100644 --- a/doc/src/sgml/user-manag.sgml +++ b/doc/src/sgml/user-manag.sgml @@ -578,13 +578,14 @@ DROP ROLE doomed_role; The pg_database_owner role has one implicit, - situation-dependent member, namely the owner of the current database. The - role conveys no rights at first. Like any role, it can own objects or - receive grants of access privileges. Consequently, once - pg_database_owner has rights within a template database, - each owner of a database instantiated from that template will exercise those - rights. pg_database_owner cannot be a member of any - role, and it cannot have non-implicit members. + situation-dependent member, namely the owner of the current database. Like + any role, it can own objects or receive grants of access privileges. + Consequently, once pg_database_owner has rights within a + template database, each owner of a database instantiated from that template + will exercise those rights. pg_database_owner cannot be + a member of any role, and it cannot have non-implicit members. Initially, + this role owns the public schema, so each database owner + governs local use of the schema. @@ -633,8 +634,8 @@ GRANT pg_signal_backend TO admin_user; horse others with relative ease. The strongest protection is tight control over who can define objects. Where that is infeasible, write queries referring only to objects having trusted owners. Remove - from search_path the public schema and any other schemas - that permit untrusted users to create objects. + from search_path any schemas that permit untrusted users + to create objects. diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index 3c1cf78..738b2cf 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -1702,8 +1702,7 @@ setup_privileges(FILE *cmdfd) CppAsString2(RELKIND_VIEW) ", " CppAsString2(RELKIND_MATVIEW) ", " CppAsString2(RELKIND_SEQUENCE) ")" " AND relacl IS NULL;\n\n", - "GRANT USAGE ON SCHEMA pg_catalog TO PUBLIC;\n\n", - "GRANT CREATE, USAGE ON SCHEMA public TO PUBLIC;\n\n", + "GRANT USAGE ON SCHEMA pg_catalog, public TO PUBLIC;\n\n", "REVOKE ALL ON pg_largeobject FROM PUBLIC;\n\n", "INSERT INTO pg_init_privs " " (objoid, classoid, objsubid, initprivs, privtype)" diff --git a/src/bin/pg_dump/dumputils.c b/src/bin/pg_dump/dumputils.c index 60d306e..ea67e52 100644 --- a/src/bin/pg_dump/dumputils.c +++ b/src/bin/pg_dump/dumputils.c @@ -725,6 +725,7 @@ void buildACLQueries(PQExpBuffer acl_subquery, PQExpBuffer racl_subquery, PQExpBuffer init_acl_subquery, PQExpBuffer init_racl_subquery, const char *acl_column, const char *acl_owner, + const char *initprivs_expr, const char *obj_kind, bool binary_upgrade) { /* @@ -765,23 +766,25 @@ buildACLQueries(PQExpBuffer acl_subquery, PQExpBuffer racl_subquery, "WITH ORDINALITY AS perm(acl,row_n) " "WHERE NOT EXISTS ( " "SELECT 1 FROM " - "pg_catalog.unnest(coalesce(pip.initprivs,pg_catalog.acldefault(%s,%s))) " + "pg_catalog.unnest(coalesce(%s,pg_catalog.acldefault(%s,%s))) " "AS init(init_acl) WHERE acl = init_acl)) as foo)", acl_column, obj_kind, acl_owner, + initprivs_expr, obj_kind, acl_owner); printfPQExpBuffer(racl_subquery, "(SELECT pg_catalog.array_agg(acl ORDER BY row_n) FROM " "(SELECT acl, row_n FROM " - "pg_catalog.unnest(coalesce(pip.initprivs,pg_catalog.acldefault(%s,%s))) " + "pg_catalog.unnest(coalesce(%s,pg_catalog.acldefault(%s,%s))) " "WITH ORDINALITY AS initp(acl,row_n) " "WHERE NOT EXISTS ( " "SELECT 1 FROM " "pg_catalog.unnest(coalesce(%s,pg_catalog.acldefault(%s,%s))) " "AS permp(orig_acl) WHERE acl = orig_acl)) as foo)", + initprivs_expr, obj_kind, acl_owner, acl_column, @@ -807,12 +810,13 @@ buildACLQueries(PQExpBuffer acl_subquery, PQExpBuffer racl_subquery, printfPQExpBuffer(init_acl_subquery, "CASE WHEN privtype = 'e' THEN " "(SELECT pg_catalog.array_agg(acl ORDER BY row_n) FROM " - "(SELECT acl, row_n FROM pg_catalog.unnest(pip.initprivs) " + "(SELECT acl, row_n FROM pg_catalog.unnest(%s) " "WITH ORDINALITY AS initp(acl,row_n) " "WHERE NOT EXISTS ( " "SELECT 1 FROM " "pg_catalog.unnest(pg_catalog.acldefault(%s,%s)) " "AS privm(orig_acl) WHERE acl = orig_acl)) as foo) END", + initprivs_expr, obj_kind, acl_owner); @@ -823,10 +827,11 @@ buildACLQueries(PQExpBuffer acl_subquery, PQExpBuffer racl_subquery, "pg_catalog.unnest(pg_catalog.acldefault(%s,%s)) " "WITH ORDINALITY AS privp(acl,row_n) " "WHERE NOT EXISTS ( " - "SELECT 1 FROM pg_catalog.unnest(pip.initprivs) " + "SELECT 1 FROM pg_catalog.unnest(%s) " "AS initp(init_acl) WHERE acl = init_acl)) as foo) END", obj_kind, - acl_owner); + acl_owner, + initprivs_expr); } else { diff --git a/src/bin/pg_dump/dumputils.h b/src/bin/pg_dump/dumputils.h index 6e97da7..f5465f1 100644 --- a/src/bin/pg_dump/dumputils.h +++ b/src/bin/pg_dump/dumputils.h @@ -54,6 +54,7 @@ extern void emitShSecLabels(PGconn *conn, PGresult *res, extern void buildACLQueries(PQExpBuffer acl_subquery, PQExpBuffer racl_subquery, PQExpBuffer init_acl_subquery, PQExpBuffer init_racl_subquery, const char *acl_column, const char *acl_owner, + const char *initprivs_expr, const char *obj_kind, bool binary_upgrade); extern bool variable_is_guc_list_quote(const char *name); diff --git a/src/bin/pg_dump/pg_backup_archiver.c b/src/bin/pg_dump/pg_backup_archiver.c index 0ac8b18..1d00fdc 100644 --- a/src/bin/pg_dump/pg_backup_archiver.c +++ b/src/bin/pg_dump/pg_backup_archiver.c @@ -3629,10 +3629,13 @@ _printTocEntry(ArchiveHandle *AH, TocEntry *te, bool isData) * Actually print the definition. * * Really crude hack for suppressing AUTHORIZATION clause that old pg_dump - * versions put into CREATE SCHEMA. We have to do this when --no-owner - * mode is selected. This is ugly, but I see no other good way ... + * versions put into CREATE SCHEMA. Don't mutate the modern definition + * for schema "public", which consists of a comment. We have to do this + * when --no-owner mode is selected. This is ugly, but I see no other + * good way ... */ - if (ropt->noOwner && strcmp(te->desc, "SCHEMA") == 0) + if (ropt->noOwner && + strcmp(te->desc, "SCHEMA") == 0 && strncmp(te->defn, "--", 2) != 0) { ahprintf(AH, "CREATE SCHEMA %s;\n\n\n", fmtId(te->tag)); } @@ -3644,11 +3647,16 @@ _printTocEntry(ArchiveHandle *AH, TocEntry *te, bool isData) /* * If we aren't using SET SESSION AUTH to determine ownership, we must - * instead issue an ALTER OWNER command. We assume that anything without - * a DROP command is not a separately ownable object. All the categories - * with DROP commands must appear in one list or the other. + * instead issue an ALTER OWNER command. Schema "public" is special; a + * dump never creates it, so we use ALTER OWNER even when using SET + * SESSION for all other objects. We assume that anything without a DROP + * command is not a separately ownable object. All the categories with + * DROP commands must appear in one list or the other. */ - if (!ropt->noOwner && !ropt->use_setsessauth && + if (!ropt->noOwner && + (!ropt->use_setsessauth || + (strcmp(te->tag, "public") == 0 + && strcmp(te->desc, "SCHEMA") == 0)) && te->owner && strlen(te->owner) > 0 && te->dropStmt && strlen(te->dropStmt) > 0) { diff --git a/src/bin/pg_dump/pg_dump.c b/src/bin/pg_dump/pg_dump.c index da6cc05..c4f3bd2 100644 --- a/src/bin/pg_dump/pg_dump.c +++ b/src/bin/pg_dump/pg_dump.c @@ -44,6 +44,7 @@ #include "catalog/pg_aggregate_d.h" #include "catalog/pg_am_d.h" #include "catalog/pg_attribute_d.h" +#include "catalog/pg_authid_d.h" #include "catalog/pg_cast_d.h" #include "catalog/pg_class_d.h" #include "catalog/pg_collation_d.h" @@ -1571,13 +1572,15 @@ selectDumpableNamespace(NamespaceInfo *nsinfo, Archive *fout) { /* * The public schema is a strange beast that sits in a sort of - * no-mans-land between being a system object and a user object. We - * don't want to dump creation or comment commands for it, because - * that complicates matters for non-superuser use of pg_dump. But we - * should dump any ACL changes that have occurred for it, and of - * course we should dump contained objects. + * no-mans-land between being a system object and a user object. + * CREATE SCHEMA would fail, so its DUMP_COMPONENT_DEFINITION is just + * a comment and an indication of ownership. If the owner is the + * default, omit that superfluous DUMP_COMPONENT_DEFINITION. Before + * v14, the default owner was BOOTSTRAP_SUPERUSERID. */ - nsinfo->dobj.dump = DUMP_COMPONENT_ACL; + nsinfo->dobj.dump = DUMP_COMPONENT_ALL; + if (nsinfo->nspowner == DEFAULT_ROLE_DATABASE_OWNER) + nsinfo->dobj.dump &= ~DUMP_COMPONENT_DEFINITION; nsinfo->dobj.dump_contains = DUMP_COMPONENT_ALL; } else @@ -3402,8 +3405,8 @@ getBlobs(Archive *fout) PQExpBuffer init_racl_subquery = createPQExpBuffer(); buildACLQueries(acl_subquery, racl_subquery, init_acl_subquery, - init_racl_subquery, "l.lomacl", "l.lomowner", "'L'", - dopt->binary_upgrade); + init_racl_subquery, "l.lomacl", "l.lomowner", + "pip.initprivs", "'L'", dopt->binary_upgrade); appendPQExpBuffer(blobQry, "SELECT l.oid, (%s l.lomowner) AS rolname, " @@ -4804,6 +4807,7 @@ getNamespaces(Archive *fout, int *numNamespaces) int i_tableoid; int i_oid; int i_nspname; + int i_nspowner; int i_rolname; int i_nspacl; int i_rnspacl; @@ -4823,11 +4827,32 @@ getNamespaces(Archive *fout, int *numNamespaces) PQExpBuffer init_acl_subquery = createPQExpBuffer(); PQExpBuffer init_racl_subquery = createPQExpBuffer(); + /* + * Bypass pg_init_privs.initprivs for the public schema, for several + * reasons. First, dropping and recreating the schema detaches it + * from its pg_init_privs row, but an empty destination database + * starts with this ACL nonetheless. Second, we support dump/reload + * of public schema ownership changes. ALTER SCHEMA OWNER filters + * nspacl through aclnewowner(), but initprivs continues to reflect + * the initial owner. Hence, synthesize the value that nspacl will + * have after the restore's ALTER SCHEMA OWNER. Third, this makes the + * destination database match the source's ACL, even if the latter was + * an initdb-default ACL, which changed in v14. An upgrade pulls in + * changes to most system object ACLs that the DBA had not customized. + * We've made the public schema depart from that, because changing its + * ACL so easily breaks applications. + */ buildACLQueries(acl_subquery, racl_subquery, init_acl_subquery, - init_racl_subquery, "n.nspacl", "n.nspowner", "'n'", - dopt->binary_upgrade); + init_racl_subquery, "n.nspacl", "n.nspowner", + "CASE WHEN n.nspname = 'public' THEN array[" + " format('%s=UC/%s', " + " n.nspowner::regrole, n.nspowner::regrole)," + " format('=U/%s', n.nspowner::regrole)]::aclitem[] " + "ELSE pip.initprivs END", + "'n'", dopt->binary_upgrade); appendPQExpBuffer(query, "SELECT n.tableoid, n.oid, n.nspname, " + "n.nspowner, " "(%s nspowner) AS rolname, " "%s as nspacl, " "%s as rnspacl, " @@ -4852,7 +4877,7 @@ getNamespaces(Archive *fout, int *numNamespaces) destroyPQExpBuffer(init_racl_subquery); } else - appendPQExpBuffer(query, "SELECT tableoid, oid, nspname, " + appendPQExpBuffer(query, "SELECT tableoid, oid, nspname, nspowner, " "(%s nspowner) AS rolname, " "nspacl, NULL as rnspacl, " "NULL AS initnspacl, NULL as initrnspacl " @@ -4868,6 +4893,7 @@ getNamespaces(Archive *fout, int *numNamespaces) i_tableoid = PQfnumber(res, "tableoid"); i_oid = PQfnumber(res, "oid"); i_nspname = PQfnumber(res, "nspname"); + i_nspowner = PQfnumber(res, "nspowner"); i_rolname = PQfnumber(res, "rolname"); i_nspacl = PQfnumber(res, "nspacl"); i_rnspacl = PQfnumber(res, "rnspacl"); @@ -4881,6 +4907,7 @@ getNamespaces(Archive *fout, int *numNamespaces) nsinfo[i].dobj.catId.oid = atooid(PQgetvalue(res, i, i_oid)); AssignDumpId(&nsinfo[i].dobj); nsinfo[i].dobj.name = pg_strdup(PQgetvalue(res, i, i_nspname)); + nsinfo[i].nspowner = atooid(PQgetvalue(res, i, i_nspowner)); nsinfo[i].rolname = pg_strdup(PQgetvalue(res, i, i_rolname)); nsinfo[i].nspacl = pg_strdup(PQgetvalue(res, i, i_nspacl)); nsinfo[i].rnspacl = pg_strdup(PQgetvalue(res, i, i_rnspacl)); @@ -5072,8 +5099,8 @@ getTypes(Archive *fout, int *numTypes) PQExpBuffer initracl_subquery = createPQExpBuffer(); buildACLQueries(acl_subquery, racl_subquery, initacl_subquery, - initracl_subquery, "t.typacl", "t.typowner", "'T'", - dopt->binary_upgrade); + initracl_subquery, "t.typacl", "t.typowner", + "pip.initprivs", "'T'", dopt->binary_upgrade); appendPQExpBuffer(query, "SELECT t.tableoid, t.oid, t.typname, " "t.typnamespace, " @@ -5774,8 +5801,8 @@ getAggregates(Archive *fout, int *numAggs) const char *agg_check; buildACLQueries(acl_subquery, racl_subquery, initacl_subquery, - initracl_subquery, "p.proacl", "p.proowner", "'f'", - dopt->binary_upgrade); + initracl_subquery, "p.proacl", "p.proowner", + "pip.initprivs", "'f'", dopt->binary_upgrade); agg_check = (fout->remoteVersion >= 110000 ? "p.prokind = 'a'" : "p.proisagg"); @@ -5987,8 +6014,8 @@ getFuncs(Archive *fout, int *numFuncs) const char *not_agg_check; buildACLQueries(acl_subquery, racl_subquery, initacl_subquery, - initracl_subquery, "p.proacl", "p.proowner", "'f'", - dopt->binary_upgrade); + initracl_subquery, "p.proacl", "p.proowner", + "pip.initprivs", "'f'", dopt->binary_upgrade); not_agg_check = (fout->remoteVersion >= 110000 ? "p.prokind <> 'a'" : "NOT p.proisagg"); @@ -6284,13 +6311,14 @@ getTables(Archive *fout, int *numTables) buildACLQueries(acl_subquery, racl_subquery, initacl_subquery, initracl_subquery, "c.relacl", "c.relowner", + "pip.initprivs", "CASE WHEN c.relkind = " CppAsString2(RELKIND_SEQUENCE) " THEN 's' ELSE 'r' END::\"char\"", dopt->binary_upgrade); buildACLQueries(attacl_subquery, attracl_subquery, attinitacl_subquery, - attinitracl_subquery, "at.attacl", "c.relowner", "'c'", - dopt->binary_upgrade); + attinitracl_subquery, "at.attacl", "c.relowner", + "pip.initprivs", "'c'", dopt->binary_upgrade); appendPQExpBuffer(query, "SELECT c.tableoid, c.oid, c.relname, " @@ -8288,8 +8316,8 @@ getProcLangs(Archive *fout, int *numProcLangs) PQExpBuffer initracl_subquery = createPQExpBuffer(); buildACLQueries(acl_subquery, racl_subquery, initacl_subquery, - initracl_subquery, "l.lanacl", "l.lanowner", "'l'", - dopt->binary_upgrade); + initracl_subquery, "l.lanacl", "l.lanowner", + "pip.initprivs", "'l'", dopt->binary_upgrade); /* pg_language has a laninline column */ appendPQExpBuffer(query, "SELECT l.tableoid, l.oid, " @@ -9479,8 +9507,8 @@ getForeignDataWrappers(Archive *fout, int *numForeignDataWrappers) PQExpBuffer initracl_subquery = createPQExpBuffer(); buildACLQueries(acl_subquery, racl_subquery, initacl_subquery, - initracl_subquery, "f.fdwacl", "f.fdwowner", "'F'", - dopt->binary_upgrade); + initracl_subquery, "f.fdwacl", "f.fdwowner", + "pip.initprivs", "'F'", dopt->binary_upgrade); appendPQExpBuffer(query, "SELECT f.tableoid, f.oid, f.fdwname, " "(%s f.fdwowner) AS rolname, " @@ -9646,8 +9674,8 @@ getForeignServers(Archive *fout, int *numForeignServers) PQExpBuffer initracl_subquery = createPQExpBuffer(); buildACLQueries(acl_subquery, racl_subquery, initacl_subquery, - initracl_subquery, "f.srvacl", "f.srvowner", "'S'", - dopt->binary_upgrade); + initracl_subquery, "f.srvacl", "f.srvowner", + "pip.initprivs", "'S'", dopt->binary_upgrade); appendPQExpBuffer(query, "SELECT f.tableoid, f.oid, f.srvname, " "(%s f.srvowner) AS rolname, " @@ -9793,6 +9821,7 @@ getDefaultACLs(Archive *fout, int *numDefaultACLs) buildACLQueries(acl_subquery, racl_subquery, initacl_subquery, initracl_subquery, "defaclacl", "defaclrole", + "pip.initprivs", "CASE WHEN defaclobjtype = 'S' THEN 's' ELSE defaclobjtype END::\"char\"", dopt->binary_upgrade); @@ -9947,6 +9976,28 @@ dumpComment(Archive *fout, const char *type, const char *name, ncomments--; } + /* + * Skip dumping the initdb-provided public schema comment, which would + * complicate matters for non-superuser use of pg_dump. When the DBA has + * removed initdb's comment, replicate that. + */ + if (strcmp(type, "SCHEMA") == 0 && strcmp(name, "public") == 0) + { + static CommentItem empty_comment = {.descr = ""}; + + if (ncomments == 0) + { + comments = &empty_comment; + ncomments = 1; + } + else if (strcmp(comments->descr, (fout->remoteVersion >= 80300 ? + "standard public schema" : + "Standard public schema")) == 0) + { + ncomments = 0; + } + } + /* If a comment exists, build COMMENT ON statement */ if (ncomments > 0) { @@ -10410,9 +10461,19 @@ dumpNamespace(Archive *fout, const NamespaceInfo *nspinfo) qnspname = pg_strdup(fmtId(nspinfo->dobj.name)); - appendPQExpBuffer(delq, "DROP SCHEMA %s;\n", qnspname); - - appendPQExpBuffer(q, "CREATE SCHEMA %s;\n", qnspname); + if (strcmp(nspinfo->dobj.name, "public") == 0) + { + /* see selectDumpableNamespace() */ + appendPQExpBufferStr(delq, + "-- *not* dropping schema, since initdb creates it\n"); + appendPQExpBufferStr(q, + "-- *not* creating schema, since initdb creates it\n"); + } + else + { + appendPQExpBuffer(delq, "DROP SCHEMA %s;\n", qnspname); + appendPQExpBuffer(q, "CREATE SCHEMA %s;\n", qnspname); + } if (dopt->binary_upgrade) binary_upgrade_extension_member(q, &nspinfo->dobj, @@ -15560,8 +15621,8 @@ dumpTable(Archive *fout, const TableInfo *tbinfo) PQExpBuffer initracl_subquery = createPQExpBuffer(); buildACLQueries(acl_subquery, racl_subquery, initacl_subquery, - initracl_subquery, "at.attacl", "c.relowner", "'c'", - dopt->binary_upgrade); + initracl_subquery, "at.attacl", "c.relowner", + "pip.initprivs", "'c'", dopt->binary_upgrade); appendPQExpBuffer(query, "SELECT at.attname, " diff --git a/src/bin/pg_dump/pg_dump.h b/src/bin/pg_dump/pg_dump.h index 5340843..e4256fa 100644 --- a/src/bin/pg_dump/pg_dump.h +++ b/src/bin/pg_dump/pg_dump.h @@ -142,6 +142,7 @@ typedef struct _dumpableObject typedef struct _namespaceInfo { DumpableObject dobj; + Oid nspowner; char *rolname; /* name of owner, or empty string */ char *nspacl; char *rnspacl; diff --git a/src/bin/pg_dump/t/002_pg_dump.pl b/src/bin/pg_dump/t/002_pg_dump.pl index 737e464..02b4418 100644 --- a/src/bin/pg_dump/t/002_pg_dump.pl +++ b/src/bin/pg_dump/t/002_pg_dump.pl @@ -125,6 +125,14 @@ my %pgdump_runs = ( 'regress_pg_dump_test', ], }, + defaults_public_owner => { + database => 'regress_public_owner', + dump_cmd => [ + 'pg_dump', '--no-sync', '-f', + "$tempdir/defaults_public_owner.sql", + 'regress_public_owner', + ], + }, # Do not use --no-sync to give test coverage for data sync. defaults_custom_format => { @@ -605,6 +613,26 @@ my %tests = ( unlike => { no_owner => 1, }, }, + 'ALTER SCHEMA public OWNER TO' => { + create_order => 15, + create_sql => + 'ALTER SCHEMA public OWNER TO "regress_quoted \"" role";', + regexp => qr/^ALTER SCHEMA public OWNER TO .+;/m, + like => { + %full_runs, section_pre_data => 1, + }, + unlike => { no_owner => 1, }, + }, + + 'ALTER SCHEMA public OWNER TO (w/o ACL changes)' => { + database => 'regress_public_owner', + create_order => 100, + create_sql => + 'ALTER SCHEMA public OWNER TO "regress_quoted \"" role";', + regexp => qr/^(GRANT|REVOKE)/m, + unlike => { defaults_public_owner => 1 }, + }, + 'ALTER SEQUENCE test_table_col1_seq' => { regexp => qr/^ \QALTER SEQUENCE dump_test.test_table_col1_seq OWNED BY dump_test.test_table.col1;\E @@ -940,6 +968,23 @@ my %tests = ( like => {}, }, + 'COMMENT ON SCHEMA public' => { + regexp => qr/^COMMENT ON SCHEMA public IS .+;/m, + # regress_public_owner emits this, due to create_sql of next test + like => { + pg_dumpall_dbprivs => 1, + pg_dumpall_exclude => 1, + }, + }, + + 'COMMENT ON SCHEMA public IS NULL' => { + database => 'regress_public_owner', + create_order => 100, + create_sql => 'COMMENT ON SCHEMA public IS NULL;', + regexp => qr/^COMMENT ON SCHEMA public IS '';/m, + like => { defaults_public_owner => 1 }, + }, + 'COMMENT ON TABLE dump_test.test_table' => { create_order => 36, create_sql => 'COMMENT ON TABLE dump_test.test_table @@ -1370,6 +1415,18 @@ my %tests = ( }, }, + 'CREATE ROLE regress_quoted...' => { + create_order => 1, + create_sql => 'CREATE ROLE "regress_quoted \"" role";', + regexp => qr/^\QCREATE ROLE "regress_quoted \"" role";\E/m, + like => { + pg_dumpall_dbprivs => 1, + pg_dumpall_exclude => 1, + pg_dumpall_globals => 1, + pg_dumpall_globals_clean => 1, + }, + }, + 'CREATE ACCESS METHOD gist2' => { create_order => 52, create_sql => @@ -3261,6 +3318,23 @@ my %tests = ( unlike => { no_privs => 1, }, }, + # With the exception of the public schema, we don't dump ownership changes + # for objects originating at initdb. Hence, any GRANT or REVOKE affecting + # owner privileges for those objects should reference the bootstrap + # superuser, not the dump-time owner. + 'REVOKE EXECUTE ON FUNCTION pg_stat_reset FROM regress_dump_test_role' => + { + create_order => 15, + create_sql => ' + ALTER FUNCTION pg_stat_reset OWNER TO regress_dump_test_role; + REVOKE EXECUTE ON FUNCTION pg_stat_reset + FROM regress_dump_test_role;', + regexp => qr/^[^-].*pg_stat_reset.* regress_dump_test_role/m, + + # this shouldn't ever get emitted + like => {}, + }, + 'REVOKE SELECT ON TABLE pg_proc FROM public' => { create_order => 45, create_sql => 'REVOKE SELECT ON TABLE pg_proc FROM public;', @@ -3270,12 +3344,12 @@ my %tests = ( unlike => { no_privs => 1, }, }, - 'REVOKE CREATE ON SCHEMA public FROM public' => { + 'REVOKE ALL ON SCHEMA public' => { create_order => 16, - create_sql => 'REVOKE CREATE ON SCHEMA public FROM public;', - regexp => qr/^ - \QREVOKE ALL ON SCHEMA public FROM PUBLIC;\E - \n\QGRANT USAGE ON SCHEMA public TO PUBLIC;\E + create_sql => + 'REVOKE ALL ON SCHEMA public FROM "regress_quoted \"" role";', + regexp => qr/^ + \QREVOKE ALL ON SCHEMA public FROM "regress_quoted \"" role";\E /xm, like => { %full_runs, section_pre_data => 1, }, unlike => { no_privs => 1, }, @@ -3376,8 +3450,9 @@ if ($collation_check_stderr !~ /ERROR: /) $collation_support = 1; } -# Create a second database for certain tests to work against +# Create additional databases for mutations of schema public $node->psql('postgres', 'create database regress_pg_dump_test;'); +$node->psql('postgres', 'create database regress_public_owner;'); # Start with number of command_fails_like()*2 tests below (each # command_fails_like is actually 2 tests) diff --git a/src/include/catalog/pg_namespace.dat b/src/include/catalog/pg_namespace.dat index 2ed136b..7932aa6 100644 --- a/src/include/catalog/pg_namespace.dat +++ b/src/include/catalog/pg_namespace.dat @@ -18,8 +18,9 @@ { oid => '99', oid_symbol => 'PG_TOAST_NAMESPACE', descr => 'reserved schema for TOAST tables', nspname => 'pg_toast', nspacl => '_null_' }, +# update dumpComment() if changing this descr { oid => '2200', oid_symbol => 'PG_PUBLIC_NAMESPACE', descr => 'standard public schema', - nspname => 'public', nspacl => '_null_' }, + nspname => 'public', nspowner => 'pg_database_owner', nspacl => '_null_' }, ] diff --git a/src/pl/plperl/expected/plperl_setup.out b/src/pl/plperl/expected/plperl_setup.out index a1a24df..5234feb 100644 --- a/src/pl/plperl/expected/plperl_setup.out +++ b/src/pl/plperl/expected/plperl_setup.out @@ -25,6 +25,9 @@ CREATE EXTENSION plperl; CREATE EXTENSION plperlu; -- fail ERROR: permission denied to create extension "plperlu" HINT: Must be superuser to create this extension. +CREATE SCHEMA plperl_setup_scratch; +SET search_path = plperl_setup_scratch; +GRANT ALL ON SCHEMA plperl_setup_scratch TO regress_user2; CREATE FUNCTION foo1() returns int language plperl as '1;'; SELECT foo1(); foo1 @@ -34,6 +37,7 @@ SELECT foo1(); -- Must reconnect to avoid failure with non-MULTIPLICITY Perl interpreters \c - +SET search_path = plperl_setup_scratch; SET ROLE regress_user1; -- Should be able to change privileges on the language revoke all on language plperl from public; diff --git a/src/pl/plperl/sql/plperl_setup.sql b/src/pl/plperl/sql/plperl_setup.sql index 7484478..a89cf56 100644 --- a/src/pl/plperl/sql/plperl_setup.sql +++ b/src/pl/plperl/sql/plperl_setup.sql @@ -27,12 +27,16 @@ SET ROLE regress_user1; CREATE EXTENSION plperl; CREATE EXTENSION plperlu; -- fail +CREATE SCHEMA plperl_setup_scratch; +SET search_path = plperl_setup_scratch; +GRANT ALL ON SCHEMA plperl_setup_scratch TO regress_user2; CREATE FUNCTION foo1() returns int language plperl as '1;'; SELECT foo1(); -- Must reconnect to avoid failure with non-MULTIPLICITY Perl interpreters \c - +SET search_path = plperl_setup_scratch; SET ROLE regress_user1; diff --git a/src/test/regress/input/tablespace.source b/src/test/regress/input/tablespace.source index c133e73..cb9774e 100644 --- a/src/test/regress/input/tablespace.source +++ b/src/test/regress/input/tablespace.source @@ -388,7 +388,7 @@ CREATE INDEX k ON testschema.tablespace_acl (c) TABLESPACE regress_tblspace; ALTER TABLE testschema.tablespace_acl OWNER TO regress_tablespace_user2; SET SESSION ROLE regress_tablespace_user2; -CREATE TABLE tablespace_table (i int) TABLESPACE regress_tblspace; -- fail +CREATE TEMP TABLE tablespace_table (i int) TABLESPACE regress_tblspace; -- fail ALTER TABLE testschema.tablespace_acl ALTER c TYPE bigint; REINDEX (TABLESPACE regress_tblspace) TABLE tablespace_table; -- fail REINDEX (TABLESPACE regress_tblspace, CONCURRENTLY) TABLE tablespace_table; -- fail @@ -409,3 +409,6 @@ DROP SCHEMA testschema CASCADE; DROP ROLE regress_tablespace_user1; DROP ROLE regress_tablespace_user2; + +-- Rest of this suite can use the public schema freely. +GRANT ALL ON SCHEMA public TO public; diff --git a/src/test/regress/output/tablespace.source b/src/test/regress/output/tablespace.source index 1bbe7e0..e7629d4 100644 --- a/src/test/regress/output/tablespace.source +++ b/src/test/regress/output/tablespace.source @@ -908,7 +908,7 @@ CREATE TABLE testschema.tablespace_acl (c int); CREATE INDEX k ON testschema.tablespace_acl (c) TABLESPACE regress_tblspace; ALTER TABLE testschema.tablespace_acl OWNER TO regress_tablespace_user2; SET SESSION ROLE regress_tablespace_user2; -CREATE TABLE tablespace_table (i int) TABLESPACE regress_tblspace; -- fail +CREATE TEMP TABLE tablespace_table (i int) TABLESPACE regress_tblspace; -- fail ERROR: permission denied for tablespace regress_tblspace ALTER TABLE testschema.tablespace_acl ALTER c TYPE bigint; REINDEX (TABLESPACE regress_tblspace) TABLE tablespace_table; -- fail @@ -934,3 +934,5 @@ drop cascades to table testschema.atable drop cascades to table testschema.tablespace_acl DROP ROLE regress_tablespace_user1; DROP ROLE regress_tablespace_user2; +-- Rest of this suite can use the public schema freely. +GRANT ALL ON SCHEMA public TO public;