From: Andrew Dunstan Date: Thu, 3 Nov 2011 16:45:02 +0000 (-0400) Subject: Do not treat a superuser as a member of every role for HBA purposes. X-Git-Tag: REL9_2_BETA1~883 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=94cd0f1ad8af722a48a30a1087377b52ca99d633;p=postgresql Do not treat a superuser as a member of every role for HBA purposes. This makes it possible to use reject lines with group roles. Andrew Dunstan, reviewd by Robert Haas. --- diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index f6f858d474..6493d302c7 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -210,7 +210,10 @@ hostnossl database user in PostgreSQL; a + mark really means match any of the roles that are directly or indirectly members of this role, while a name without a + mark matches - only that specific role.) + only that specific role.) For this purpose, a superuser is only + considered to be a member of a role if they are explicitly a member + of the role, directly or indirectly, and not just by virtue of + being a superuser. Multiple user names can be supplied by separating them with commas. A separate file containing user names can be specified by preceding the file name with @. diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index d2a6db1478..a3036018b4 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -442,8 +442,13 @@ is_member(Oid userid, const char *role) if (!OidIsValid(roleid)) return false; /* if target role not exist, say "no" */ - /* See if user is directly or indirectly a member of role */ - return is_member_of_role(userid, roleid); + /* + * See if user is directly or indirectly a member of role. + * For this purpose, a superuser is not considered to be automatically + * a member of the role, so group auth only applies to explicit + * membership. + */ + return is_member_of_role_nosuper(userid, roleid); } /*