pgsql: Revert MAINTAIN privilege and pg_maintain predefined role. - Mailing list pgsql-committers
From | Nathan Bossart |
---|---|
Subject | pgsql: Revert MAINTAIN privilege and pg_maintain predefined role. |
Date | |
Msg-id | E1qHqAZ-002OFr-6R@gemulon.postgresql.org Whole thread Raw |
List | pgsql-committers |
Revert MAINTAIN privilege and pg_maintain predefined role. This reverts the following commits: 4dbdb82513, c2122aae63, 5b1a879943, 9e1e9d6560, ff9618e82a, 60684dd834, 4441fc704d, and b5d6382496. A role with the MAINTAIN privilege may be able to use search_path tricks to escalate privileges to the table owner. Unfortunately, it is too late in the v16 development cycle to apply the proposed fix, i.e., restricting search_path when running maintenance commands. Bumps catversion. Reviewed-by: Jeff Davis Discussion: https://postgr.es/m/E1q7j7Y-000z1H-Hr%40gemulon.postgresql.org Backpatch-through: 16 Branch ------ REL_16_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/957445996fda2d6939a8748f2a19c10b15941c5e Modified Files -------------- doc/src/sgml/ddl.sgml | 35 ++----- doc/src/sgml/func.sgml | 2 +- doc/src/sgml/ref/alter_default_privileges.sgml | 4 +- doc/src/sgml/ref/analyze.sgml | 6 +- doc/src/sgml/ref/cluster.sgml | 10 +- doc/src/sgml/ref/grant.sgml | 3 +- doc/src/sgml/ref/lock.sgml | 4 +- doc/src/sgml/ref/refresh_materialized_view.sgml | 5 +- doc/src/sgml/ref/reindex.sgml | 23 ++-- doc/src/sgml/ref/revoke.sgml | 2 +- doc/src/sgml/ref/vacuum.sgml | 6 +- doc/src/sgml/user-manag.sgml | 12 --- src/backend/catalog/aclchk.c | 15 --- src/backend/commands/analyze.c | 13 +-- src/backend/commands/cluster.c | 43 ++------ src/backend/commands/indexcmds.c | 34 +++--- src/backend/commands/lockcmds.c | 2 +- src/backend/commands/matview.c | 3 +- src/backend/commands/tablecmds.c | 16 ++- src/backend/commands/vacuum.c | 65 ++++++------ src/backend/utils/adt/acl.c | 8 -- src/bin/pg_dump/dumputils.c | 1 - src/bin/pg_dump/t/002_pg_dump.pl | 2 +- src/bin/psql/tab-complete.c | 6 +- src/include/catalog/catversion.h | 2 +- src/include/catalog/pg_authid.dat | 5 - src/include/commands/tablecmds.h | 5 +- src/include/commands/vacuum.h | 5 +- src/include/nodes/parsenodes.h | 3 +- src/include/utils/acl.h | 5 +- .../expected/cluster-conflict-partition.out | 8 +- .../specs/cluster-conflict-partition.spec | 2 +- src/test/perl/PostgreSQL/Test/AdjustUpgrade.pm | 11 -- src/test/regress/expected/cluster.out | 7 -- src/test/regress/expected/create_index.out | 4 +- src/test/regress/expected/dependency.out | 22 ++-- src/test/regress/expected/privileges.out | 116 ++++----------------- src/test/regress/expected/rowsecurity.out | 34 +++--- src/test/regress/sql/cluster.sql | 5 - src/test/regress/sql/dependency.sql | 2 +- src/test/regress/sql/privileges.sql | 68 ------------ 41 files changed, 179 insertions(+), 445 deletions(-)
pgsql-committers by date: