| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Wolfgang Walther <walther(at)technowledgy(dot)de>, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: User with BYPASSRLS privilege can't change password |
| Date: | 2020-11-03 17:44:11 |
| Message-ID: | 956994.1604425451@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
I wrote:
> Wolfgang Walther <walther(at)technowledgy(dot)de> writes:
>> CREATE USER bob BYPASSRLS;
>> SET ROLE bob;
>> ALTER USER bob PASSWORD 'x';
>> -- ERROR: must be superuser to change bypassrls attribute
> Yeah, duplicated here on HEAD. The error message seems to think
> the command is trying to remove the BYPASSRLS privilege, which
> suggests somebody forgot to copy that flag somewhere where it needs
> to be copied. Haven't dug further than that.
It's a little more subtle than that, but not much. Commit 491c029db
copied-and-pasted the logic used to deny non-superusers the privilege
to change anything about a superuser role. That was certainly not the
intention, because the error message was phrased differently from the
superuser case, but that was the effect. I propose the attached.
(Hm, looks like this behavior is undocumented, too.)
regards, tom lane
| Attachment | Content-Type | Size |
|---|---|---|
| fix-bypassrls-privilege-check.patch | text/x-diff | 1.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2020-11-03 17:50:26 | Re: BUG #16698: Create extension and search path |
| Previous Message | Miha Vrhovnik | 2020-11-03 17:10:09 | Re: BUG #16698: Create extension and search path |