Hi,
Tested it now on built today Pg 16devel, straight from repo.
In docs (https://www.postgresql.org/docs/current/functions-admin.html#FUNCTIONS-ADMIN-GENFILE), I found:
> The functions shown in Table 9.99 provide native access to files on
> the machine hosting the server. Only files within the database cluster
> directory and the log_directory can be accessed, unless the user is
> a superuser or is granted the role pg_read_server_files. Use
> a relative path for files in the cluster directory, and a path
> matching the log_directory configuration setting for log files.
which I understand that if I'll grant pg_read_server_files to some user,
then this user should be able to use the generic file access functions.
So I tried:
#v+
$ select current_user;
current_user
──────────────
test
(1 row)
$ \du+ test
List of roles
Role name │ Attributes │ Member of │ Description
───────────┼────────────┼───────────────────────────────────────────────────────────────┼─────────────
test │ │ {pg_read_all_settings,pg_read_all_stats,pg_read_server_files} │
$ select * from pg_ls_dir('.');
ERROR: permission denied for function pg_ls_dir
$ select * from pg_ls_dir('log');
ERROR: permission denied for function pg_ls_dir
$ select * from pg_ls_dir('/etc');
ERROR: permission denied for function pg_ls_dir
$ select * from pg_read_file('PG_VERSION');
ERROR: permission denied for function pg_read_file
$ select * from pg_read_file('/etc/passwd');
ERROR: permission denied for function pg_read_file
#v-
After I additionally granted EXECUTE on the functions, I was able to run them, even when I revoked
pg_read_server_files.
Am I missing something in there, or is this a bug?
Best regards,
depesz
