diff options
| author | Stephen Frost <sfrost@snowman.net> | 2018-04-06 14:47:10 -0400 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2018-04-06 14:47:10 -0400 |
| commit | 0fdc8495bff02684142a44ab3bc5b18a8ca1863a (patch) | |
| tree | a7918b3868e8e1720e3117307e6abc4c5a463565 /src/backend/utils/adt/genfile.c | |
| parent | e79350fef2917522571add750e3e21af293b50fe (diff) | |
| download | postgresql-0fdc8495bff02684142a44ab3bc5b18a8ca1863a.tar.gz postgresql-0fdc8495bff02684142a44ab3bc5b18a8ca1863a.zip | |
Add default roles for file/program access
This patch adds new default roles named 'pg_read_server_files',
'pg_write_server_files', 'pg_execute_server_program' which
allow an administrator to GRANT to a non-superuser role the ability to
access server-side files or run programs through PostgreSQL (as the user
the database is running as). Having one of these roles allows a
non-superuser to use server-side COPY to read, write, or with a program,
and to use file_fdw (if installed by a superuser and GRANT'd USAGE on
it) to read from files or run a program.
The existing misc file functions are also changed to allow a user with
the 'pg_read_server_files' default role to read any files on the
filesystem, matching the privileges given to that role through COPY and
file_fdw from above.
Reviewed-By: Michael Paquier
Discussion: https://postgr.es/m/20171231191939.GR2416%40tamriel.snowman.net
Diffstat (limited to 'src/backend/utils/adt/genfile.c')
| -rw-r--r-- | src/backend/utils/adt/genfile.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/backend/utils/adt/genfile.c b/src/backend/utils/adt/genfile.c index a4c0f6d5ca1..9e85df18aa1 100644 --- a/src/backend/utils/adt/genfile.c +++ b/src/backend/utils/adt/genfile.c @@ -22,6 +22,7 @@ #include "access/htup_details.h" #include "access/xlog_internal.h" +#include "catalog/pg_authid.h" #include "catalog/pg_type.h" #include "funcapi.h" #include "mb/pg_wchar.h" @@ -45,6 +46,12 @@ typedef struct * * Filename may be absolute or relative to the DataDir, but we only allow * absolute paths that match DataDir or Log_directory. + * + * This does a privilege check against the 'pg_read_server_files' role, so + * this function is really only appropriate for callers who are only checking + * 'read' access. Do not use this function if you are looking for a check + * for 'write' or 'program' access without updating it to access the type + * of check as an argument and checking the appropriate role membership. */ static char * convert_and_check_filename(text *arg) @@ -54,6 +61,15 @@ convert_and_check_filename(text *arg) filename = text_to_cstring(arg); canonicalize_path(filename); /* filename can change length here */ + /* + * Members of the 'pg_read_server_files' role are allowed to access any + * files on the server as the PG user, so no need to do any further checks + * here. + */ + if (is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_SERVER_FILES)) + return filename; + + /* User isn't a member of the default role, so check if it's allowable */ if (is_absolute_path(filename)) { /* Disallow '/a/b/data/..' */ |