| From: | Wolfgang Walther <walther(at)technowledgy(dot)de> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: User with BYPASSRLS privilege can't change password |
| Date: | 2020-11-03 18:05:32 |
| Message-ID: | 3e771893-1ed1-97e7-6c4a-7b0d00992103@technowledgy.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Tom Lane:
> It's a little more subtle than that, but not much. Commit 491c029db
> copied-and-pasted the logic used to deny non-superusers the privilege
> to change anything about a superuser role. That was certainly not the
> intention, because the error message was phrased differently from the
> superuser case, but that was the effect. I propose the attached.
Wouldn't the following change allow a non-superuser with createrole
privilege to grant the replication privilege to a role that does not
have that privilege, yet? This should still be forbidden, I think.
@@ -739,7 +741,6 @@ AlterRole(AlterRoleStmt *stmt)
createrole < 0 &&
createdb < 0 &&
canlogin < 0 &&
- isreplication < 0 &&
!dconnlimit &&
!rolemembers &&
!validUntil &&
This is because the "must be superuser to alter replication users"
condition only triggers when the altered role already has isrepliaction,
so isreplication could very well be >= 0 here.
The other change looks good.
Best
Wolfgang
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2020-11-03 18:06:42 | Re: User with BYPASSRLS privilege can't change password |
| Previous Message | Tom Lane | 2020-11-03 17:50:26 | Re: BUG #16698: Create extension and search path |