From e8116cff947a4a7dedf1fcf9c7d0b4b87b796237 Mon Sep 17 00:00:00 2001 From: Mark Dilger Date: Wed, 21 Oct 2020 20:27:23 -0700 Subject: [PATCH v20 5/5] Adding ACL checks for verify_heapam Requiring select privileges tables scanned by verify_heapam, in addition to the already required execute privileges on the function. --- contrib/amcheck/expected/check_heap.out | 6 ++++++ contrib/amcheck/sql/check_heap.sql | 7 +++++++ contrib/amcheck/verify_heapam.c | 8 ++++++++ doc/src/sgml/pgamcheck.sgml | 2 +- 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/contrib/amcheck/expected/check_heap.out b/contrib/amcheck/expected/check_heap.out index 882f853d56..41cdc6435c 100644 --- a/contrib/amcheck/expected/check_heap.out +++ b/contrib/amcheck/expected/check_heap.out @@ -95,6 +95,12 @@ SELECT * FROM verify_heapam(relation := 'heaptest'); ERROR: permission denied for function verify_heapam RESET ROLE; GRANT EXECUTE ON FUNCTION verify_heapam(regclass, boolean, boolean, text, bigint, bigint) TO regress_heaptest_role; +-- verify permissions are checked (error due to no select privileges on relation) +SET ROLE regress_heaptest_role; +SELECT * FROM verify_heapam(relation := 'heaptest'); +ERROR: permission denied for table heaptest +RESET ROLE; +GRANT SELECT ON heaptest TO regress_heaptest_role; -- verify permissions are now sufficient SET ROLE regress_heaptest_role; SELECT * FROM verify_heapam(relation := 'heaptest'); diff --git a/contrib/amcheck/sql/check_heap.sql b/contrib/amcheck/sql/check_heap.sql index c10a25f21c..c8397a46f0 100644 --- a/contrib/amcheck/sql/check_heap.sql +++ b/contrib/amcheck/sql/check_heap.sql @@ -41,6 +41,13 @@ RESET ROLE; GRANT EXECUTE ON FUNCTION verify_heapam(regclass, boolean, boolean, text, bigint, bigint) TO regress_heaptest_role; +-- verify permissions are checked (error due to no select privileges on relation) +SET ROLE regress_heaptest_role; +SELECT * FROM verify_heapam(relation := 'heaptest'); +RESET ROLE; + +GRANT SELECT ON heaptest TO regress_heaptest_role; + -- verify permissions are now sufficient SET ROLE regress_heaptest_role; SELECT * FROM verify_heapam(relation := 'heaptest'); diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c index a42b74ed46..2cb735f576 100644 --- a/contrib/amcheck/verify_heapam.c +++ b/contrib/amcheck/verify_heapam.c @@ -23,6 +23,7 @@ #include "miscadmin.h" #include "storage/bufmgr.h" #include "storage/procarray.h" +#include "utils/acl.h" #include "utils/builtins.h" #include "utils/fmgroids.h" @@ -434,6 +435,8 @@ verify_heapam(PG_FUNCTION_ARGS) static void sanity_check_relation(Relation rel) { + AclResult aclresult; + if (rel->rd_rel->relkind != RELKIND_RELATION && rel->rd_rel->relkind != RELKIND_MATVIEW && rel->rd_rel->relkind != RELKIND_TOASTVALUE) @@ -445,6 +448,11 @@ sanity_check_relation(Relation rel) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("only heap AM is supported"))); + aclresult = pg_class_aclcheck(rel->rd_id, GetUserId(), ACL_SELECT); + if (aclresult != ACLCHECK_OK) + aclcheck_error(aclresult, + get_relkind_objtype(rel->rd_rel->relkind), + RelationGetRelationName(rel)); } /* diff --git a/doc/src/sgml/pgamcheck.sgml b/doc/src/sgml/pgamcheck.sgml index 3e059e7753..fc36447dda 100644 --- a/doc/src/sgml/pgamcheck.sgml +++ b/doc/src/sgml/pgamcheck.sgml @@ -19,7 +19,7 @@ connecting as a user with sufficient privileges to check tables and indexes. Currently, this requires execute privileges on 's bt_index_parent_check and verify_heapam - functions. + functions, and on having privileges to access the relations being checked. -- 2.21.1 (Apple Git-122.3)