Re: [HACKERS] [BUGS] 7.4 beta 1: SET log_statement=false - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: [HACKERS] [BUGS] 7.4 beta 1: SET log_statement=false
Date
Msg-id 200309040506.h8456Fr23315@candle.pha.pa.us
Whole thread Raw
Responses Re: [HACKERS] [BUGS] 7.4 beta 1: SET log_statement=false  (Bertrand Petit <pgsql-bugs@phoe.frmug.org>)
List pgsql-patches
Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Yes, I have been thinking of that.  The big question is whether a
> > non-super user can control the reset value?
>
> He could (via PGOPTIONS) ... but since he can only increase it, there is
> nothing to fear.

I have followed your suggestion and applied the following patch to have
PGC_USERLIMIT track reset_val rather than session_val.  I now see that
all sources set the default, except SET:

        makeDefault = changeVal && (source <= PGC_S_OVERRIDE) && (value != NULL$

        typedef enum
        {
            PGC_S_DEFAULT,              /* wired-in default */
            PGC_S_ENV_VAR,              /* postmaster environment variable */
            PGC_S_FILE,                 /* postgresql.conf */
            PGC_S_ARGV,                 /* postmaster command line */
            PGC_S_UNPRIVILEGED,         /* dividing line for USERLIMIT */
            PGC_S_DATABASE,             /* per-database setting */
            PGC_S_USER,                 /* per-user setting */
            PGC_S_CLIENT,               /* from client connection request */
            PGC_S_OVERRIDE,             /* special case to forcibly set default$
            PGC_S_SESSION               /* SET command */
        } GucSource;

This fixes the reported problem where log_statement couldn't be turned
on then off in a session by a non-super user.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
Index: src/backend/utils/misc/guc.c
===================================================================
RCS file: /cvsroot/pgsql-server/src/backend/utils/misc/guc.c,v
retrieving revision 1.151
diff -c -c -r1.151 guc.c
*** src/backend/utils/misc/guc.c    26 Aug 2003 15:38:25 -0000    1.151
--- src/backend/utils/misc/guc.c    31 Aug 2003 04:41:15 -0000
***************
*** 2556,2562 ****
                      /* Limit non-superuser changes */
                      if (record->context == PGC_USERLIMIT &&
                          source > PGC_S_UNPRIVILEGED &&
!                         newval < conf->session_val &&
                          !superuser())
                      {
                          ereport(elevel,
--- 2556,2562 ----
                      /* Limit non-superuser changes */
                      if (record->context == PGC_USERLIMIT &&
                          source > PGC_S_UNPRIVILEGED &&
!                         newval < conf->reset_val &&
                          !superuser())
                      {
                          ereport(elevel,
***************
*** 2569,2576 ****
                      /* Allow admin to override non-superuser setting */
                      if (record->context == PGC_USERLIMIT &&
                          source < PGC_S_UNPRIVILEGED &&
!                         record->session_source > PGC_S_UNPRIVILEGED &&
!                         newval > conf->session_val &&
                          !superuser())
                          DoIt = DoIt_orig;
                  }
--- 2569,2576 ----
                      /* Allow admin to override non-superuser setting */
                      if (record->context == PGC_USERLIMIT &&
                          source < PGC_S_UNPRIVILEGED &&
!                         record->reset_source > PGC_S_UNPRIVILEGED &&
!                         newval > conf->reset_val &&
                          !superuser())
                          DoIt = DoIt_orig;
                  }
***************
*** 2652,2659 ****
                      /* Limit non-superuser changes */
                      if (record->context == PGC_USERLIMIT &&
                          source > PGC_S_UNPRIVILEGED &&
!                         conf->session_val != 0 &&
!                         (newval > conf->session_val || newval == 0) &&
                          !superuser())
                      {
                          ereport(elevel,
--- 2652,2659 ----
                      /* Limit non-superuser changes */
                      if (record->context == PGC_USERLIMIT &&
                          source > PGC_S_UNPRIVILEGED &&
!                         conf->reset_val != 0 &&
!                         (newval > conf->reset_val || newval == 0) &&
                          !superuser())
                      {
                          ereport(elevel,
***************
*** 2666,2673 ****
                      /* Allow admin to override non-superuser setting */
                      if (record->context == PGC_USERLIMIT &&
                          source < PGC_S_UNPRIVILEGED &&
!                         record->session_source > PGC_S_UNPRIVILEGED &&
!                         newval < conf->session_val &&
                          !superuser())
                          DoIt = DoIt_orig;
                  }
--- 2666,2673 ----
                      /* Allow admin to override non-superuser setting */
                      if (record->context == PGC_USERLIMIT &&
                          source < PGC_S_UNPRIVILEGED &&
!                         record->reset_source > PGC_S_UNPRIVILEGED &&
!                         newval < conf->reset_val &&
                          !superuser())
                          DoIt = DoIt_orig;
                  }
***************
*** 2749,2755 ****
                      /* Limit non-superuser changes */
                      if (record->context == PGC_USERLIMIT &&
                          source > PGC_S_UNPRIVILEGED &&
!                         newval > conf->session_val &&
                          !superuser())
                      {
                          ereport(elevel,
--- 2749,2755 ----
                      /* Limit non-superuser changes */
                      if (record->context == PGC_USERLIMIT &&
                          source > PGC_S_UNPRIVILEGED &&
!                         newval > conf->reset_val &&
                          !superuser())
                      {
                          ereport(elevel,
***************
*** 2762,2769 ****
                      /* Allow admin to override non-superuser setting */
                      if (record->context == PGC_USERLIMIT &&
                          source < PGC_S_UNPRIVILEGED &&
!                         record->session_source > PGC_S_UNPRIVILEGED &&
!                         newval < conf->session_val &&
                          !superuser())
                          DoIt = DoIt_orig;
                  }
--- 2762,2769 ----
                      /* Allow admin to override non-superuser setting */
                      if (record->context == PGC_USERLIMIT &&
                          source < PGC_S_UNPRIVILEGED &&
!                         record->reset_source > PGC_S_UNPRIVILEGED &&
!                         newval < conf->reset_val &&
                          !superuser())
                          DoIt = DoIt_orig;
                  }
***************
*** 2860,2867 ****
                          }
                          /* Allow admin to override non-superuser setting */
                          if (source < PGC_S_UNPRIVILEGED &&
!                             record->session_source > PGC_S_UNPRIVILEGED &&
!                             newval < conf->session_val &&
                              !superuser())
                              DoIt = DoIt_orig;
                      }
--- 2860,2867 ----
                          }
                          /* Allow admin to override non-superuser setting */
                          if (source < PGC_S_UNPRIVILEGED &&
!                             record->reset_source > PGC_S_UNPRIVILEGED &&
!                             newval < conf->reset_val &&
                              !superuser())
                              DoIt = DoIt_orig;
                      }

pgsql-patches by date:

Previous
From: Neil Conway
Date:
Subject: improve runtime config docs
Next
From: Kurt Roeckx
Date:
Subject: Re: IPV4 addresses on IPV6 machines in pg_hba.conf