Re: User with BYPASSRLS privilege can't change password

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Wolfgang Walther <walther(at)technowledgy(dot)de>, pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: User with BYPASSRLS privilege can't change password
Date: 2020-11-03 20:02:38
Message-ID: 20201103200237.GY16415@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Greetings,

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Wolfgang Walther <walther(at)technowledgy(dot)de> writes:
> > Tom Lane:
> >> so AFAICS it's impossible to get there. If it isn't impossible,
> >> we have a much bigger hole with respect to issuper.
>
> > Yes, you're right. I read the || as &&. And also missed the ! in else if
> > (!have_createrole_privilege()) btw. :)
>
> Actually the right way to deal with this potential confusion is to
> add a comment, as below. I fixed the docs too.
>
> > I guess the error message "must be superuser to alter replication users"
> > led me on the wrong path. I would be more precise as "must be superuser
> > to alter replication users or change replication attribute" to cover the
> > change-non-replication-to-replication user case, I think. The same thing
> > for superusers.
>
> I'd be okay with changing the error text in HEAD, but less so in the back
> branches, since that'd cause thrashing of translatable strings.

I tend to agree with that.

> diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
> index aef30521bc..5aa5648ae7 100644
> --- a/doc/src/sgml/ref/alter_role.sgml
> +++ b/doc/src/sgml/ref/alter_role.sgml
> @@ -71,7 +71,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
> Attributes not mentioned in the command retain their previous settings.
> Database superusers can change any of these settings for any role.
> Roles having <literal>CREATEROLE</literal> privilege can change any of these
> - settings, but only for non-superuser and non-replication roles.
> + settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
> + and <literal>BYPASSRLS</literal>; but only for non-superuser and
> + non-replication roles.
> Ordinary roles can only change their own password.
> </para>

This looks good, though should we also mention that you have to be a
superuser to set BYPASSRLS on a role in the CREATE ROLE documentation
too..? The error message there could also be improved, it looks like.
Also, we don't seem to document in CREATE ROLE that you have to be a
superuser to create a REPLICATION role either, even though the code
clearly says that.

Attached is a patch for all of those. As mentioned, the error message
probably only makes sense to change in HEAD, though improving the
documentation could be back-patched.

Thanks,

Stephen

Attachment Content-Type Size
cleanup_bypassrls_v1.patch text/x-diff 1.6 KB

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Wolfgang Walther 2020-11-03 20:04:31 Re: Calling variadic function with default value in named notation
Previous Message David G. Johnston 2020-11-03 19:13:13 Re: User with BYPASSRLS privilege can't change password