On Wed, Mar 15, 2023 at 11:10:11AM +0900, Kyotaro Horiguchi wrote:
> At Tue, 14 Mar 2023 20:33:10 +0100, hubert depesz lubaczewski <depesz@depesz.com> wrote in
> > Hi,
> > Tested it now on built today Pg 16devel, straight from repo.
> >
> > In docs (https://www.postgresql.org/docs/current/functions-admin.html#FUNCTIONS-ADMIN-GENFILE), I found:
> > > The functions shown in Table 9.99 provide native access to files on
> > > the machine hosting the server. Only files within the database cluster
> > > directory and the log_directory can be accessed, unless the user is
> > > a superuser or is granted the role pg_read_server_files. Use
> > > a relative path for files in the cluster directory, and a path
> > > matching the log_directory configuration setting for log files.
> >
> > which I understand that if I'll grant pg_read_server_files to some user,
> > then this user should be able to use the generic file access functions.
>
> > $ select * from pg_ls_dir('.');
> > ERROR: permission denied for function pg_ls_dir
>
> "GRANT EXECUTE ON FUNCTION pg_ls_dir(text) TO test" might work for you.
>
> The doc section you are referring to also describes that on a
> per-function basis like this.
OK, I get it, but then, what is the point of mentioning
pg_read_server_files in the doc? I can just as well grant execute on the
functions to someone. And, I tested, they don't need to be in
pg_read_server_files.
Best regards,
depesz