While it's generally unwise to give permissions on these functions to
anyone but a superuser, we've been moving away from hard-wired permission
checks inside functions in favor of using the SQL permission system to
control access. Bring lo_import() and lo_export() into compliance with
that approach.
In particular, this removes the manual configuration option
ALLOW_DANGEROUS_LO_FUNCTIONS. That dates back to 1999 (commit
4cd4a54c8);
it's unlikely anyone has used it in many years. Moreover, if you really
want such behavior, now you can get it with GRANT ... TO PUBLIC instead.
Michael Paquier
Discussion: https://postgr.es/m/CAB7nPqRHmNOYbETnc_2EjsuzSM00Z+BWKv9sy6tnvSd5gWT_JA@mail.gmail.com
STRICT IMMUTABLE PARALLEL SAFE
AS 'jsonb_insert';
+--
-- The default permissions for functions mean that anyone can execute them.
-- A number of functions shouldn't be executable by just anyone, but rather
-- than use explicit 'superuser()' checks in those functions, we use the GRANT
-- system to REVOKE access to those functions at initdb time. Administrators
-- can later change who can access these functions, or leave them as only
-- available to superuser / cluster owner, if they choose.
+--
REVOKE EXECUTE ON FUNCTION pg_start_backup(text, boolean, boolean) FROM public;
REVOKE EXECUTE ON FUNCTION pg_stop_backup() FROM public;
REVOKE EXECUTE ON FUNCTION pg_stop_backup(boolean, boolean) FROM public;
REVOKE EXECUTE ON FUNCTION pg_stat_reset_single_table_counters(oid) FROM public;
REVOKE EXECUTE ON FUNCTION pg_stat_reset_single_function_counters(oid) FROM public;
+REVOKE EXECUTE ON FUNCTION lo_import(text) FROM public;
+REVOKE EXECUTE ON FUNCTION lo_import(text, oid) FROM public;
+REVOKE EXECUTE ON FUNCTION lo_export(oid, text) FROM public;
+
REVOKE EXECUTE ON FUNCTION pg_ls_logdir() FROM public;
REVOKE EXECUTE ON FUNCTION pg_ls_waldir() FROM public;
+
+--
+-- We also set up some things as accessible to standard roles.
+--
GRANT EXECUTE ON FUNCTION pg_ls_logdir() TO pg_monitor;
GRANT EXECUTE ON FUNCTION pg_ls_waldir() TO pg_monitor;
LargeObjectDesc *lobj;
Oid oid;
-#ifndef ALLOW_DANGEROUS_LO_FUNCTIONS
- if (!superuser())
- ereport(ERROR,
- (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- errmsg("must be superuser to use server-side lo_import()"),
- errhint("Anyone can use the client-side lo_import() provided by libpq.")));
-#endif
-
CreateFSContext();
/*
LargeObjectDesc *lobj;
mode_t oumask;
-#ifndef ALLOW_DANGEROUS_LO_FUNCTIONS
- if (!superuser())
- ereport(ERROR,
- (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- errmsg("must be superuser to use server-side lo_export()"),
- errhint("Anyone can use the client-side lo_export() provided by libpq.")));
-#endif
-
CreateFSContext();
/*
*/
/* yyyymmddN */
-#define CATALOG_VERSION_NO 201710161
+#define CATALOG_VERSION_NO 201711091
#endif
*/
#define NUM_ATOMICS_SEMAPHORES 64
-/*
- * Define this if you want to allow the lo_import and lo_export SQL
- * functions to be executed by ordinary users. By default these
- * functions are only available to the Postgres superuser. CAUTION:
- * These functions are SECURITY HOLES since they can read and write
- * any file that the PostgreSQL server has permission to access. If
- * you turn this on, don't say we didn't warn you.
- */
-/* #define ALLOW_DANGEROUS_LO_FUNCTIONS */
-
/*
* MAXPGPATH: standard size of a pathname buffer in PostgreSQL (hence,
* maximum usable pathname length is one less).
SELECT lo_unlink(1002); -- to be denied
ERROR: must be owner of large object 1002
SELECT lo_export(1001, '/dev/null'); -- to be denied
-ERROR: must be superuser to use server-side lo_export()
-HINT: Anyone can use the client-side lo_export() provided by libpq.
+ERROR: permission denied for function lo_export
+SELECT lo_import('/dev/null'); -- to be denied
+ERROR: permission denied for function lo_import
+SELECT lo_import('/dev/null', 2003); -- to be denied
+ERROR: permission denied for function lo_import
\c -
SET lo_compat_privileges = true; -- compatibility mode
SET SESSION AUTHORIZATION regress_user4;
(1 row)
SELECT lo_export(1001, '/dev/null'); -- to be denied
-ERROR: must be superuser to use server-side lo_export()
-HINT: Anyone can use the client-side lo_export() provided by libpq.
+ERROR: permission denied for function lo_export
-- don't allow unpriv users to access pg_largeobject contents
\c -
SELECT * FROM pg_largeobject LIMIT 0;
SELECT lo_put(1002, 1, 'abcd'); -- to be denied
SELECT lo_unlink(1002); -- to be denied
SELECT lo_export(1001, '/dev/null'); -- to be denied
+SELECT lo_import('/dev/null'); -- to be denied
+SELECT lo_import('/dev/null', 2003); -- to be denied
\c -
SET lo_compat_privileges = true; -- compatibility mode