Nathan Bossart <nathandbossart@gmail.com> writes:
>> I think this is because GUCArrayReset() is the only caller of
>> validate_option_array_item() that sets skipIfNoPermissions to true. The
>> others fall through to set_config_option(), which does a
>> pg_parameter_aclcheck(). So, you are right.
> Here's a small patch that seems to fix this case.
Yeah, this is more or less what I was thinking of.
> However, I wonder if a
> better way to fix this is to provide a way to stop set_config_option() from
> throwing errors (e.g., setting elevel to -1). That way, we could remove
> the manual permissions checks in favor of always using the real ones, which
> might help prevent similar bugs in the future.
I thought about that for a bit. You could almost do it today if you
passed elevel == DEBUG5; the ensuing log chatter for failures would be
down in the noise compared to everything else you would see with
min_messages cranked down that far. However,
(1) As things stand, set_config_option()'s result does not distinguish
no-permissions failures from other problems, so we'd need some rejiggering
of its API anyway.
(2) As you mused upthread, it's possible that ACL_SET isn't what we should
be checking here, but some more-specific privilege. So I'd just as soon
keep this privilege check separate from set_config_option's.
I'll push ahead with fixing it like this.
regards, tom lane
