| From: | Alexander Kukushkin <cyberdemn(at)gmail(dot)com> |
|---|---|
| To: | Kirill Reshke <reshkekirill(at)gmail(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: Superuser can't revoke role granted by non-superuser |
| Date: | 2025-01-27 09:22:58 |
| Message-ID: | CAFh8B==5bnZ9eT8fRt0onuh4Qag2OSXUGqv3Vx9JASw5=Zw4Eg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Mon, 27 Jan 2025 at 10:20, Kirill Reshke <reshkekirill(at)gmail(dot)com> wrote:
> Reproduced this at cf5eb37 (and not on its parent f026c16)
> There was some huge refactoring around user.c and particularly
> `check_role_grantor` function. I'm trying to comprehend.
>
I think the fix should look like:
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 02824c32a49..29948d692b6 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -2342,7 +2342,8 @@ plan_single_revoke(CatCList *memlist,
RevokeRoleGrantAction *actions,
authmem_form = (Form_pg_auth_members)
GETSTRUCT(authmem_tuple);
if (authmem_form->member == member &&
- authmem_form->grantor == grantor)
+ (authmem_form->grantor == grantor ||
+ grantor == BOOTSTRAP_SUPERUSERID))
{
if ((popt->specified &
GRANT_ROLE_SPECIFIED_INHERIT) != 0)
{
I am going to work on the patch and update regression tests accordingly.
Regards,
--
Alexander Kukushkin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kirill Reshke | 2025-01-27 09:37:09 | Re: Superuser can't revoke role granted by non-superuser |
| Previous Message | Kirill Reshke | 2025-01-27 09:20:00 | Re: Superuser can't revoke role granted by non-superuser |