PostgreSQL Source Code git master
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
usercontext.c File Reference
#include "postgres.h"
#include "miscadmin.h"
#include "utils/acl.h"
#include "utils/guc.h"
#include "utils/usercontext.h"
Include dependency graph for usercontext.c:

Go to the source code of this file.

Functions

void SwitchToUntrustedUser (Oid userid, UserContext *context)
 
void RestoreUserContext (UserContext *context)
 

Function Documentation

◆ RestoreUserContext()

void RestoreUserContext ( UserContext context)

Definition at line 87 of file usercontext.c.

88{
89 if (context->save_nestlevel != -1)
90 AtEOXact_GUC(false, context->save_nestlevel);
92}
void AtEOXact_GUC(bool isCommit, int nestLevel)
Definition: guc.c:2262
void SetUserIdAndSecContext(Oid userid, int sec_context)
Definition: miscinit.c:667
int save_sec_context
Definition: usercontext.h:18
Oid save_userid
Definition: usercontext.h:17
int save_nestlevel
Definition: usercontext.h:19

References AtEOXact_GUC(), UserContext::save_nestlevel, UserContext::save_sec_context, UserContext::save_userid, and SetUserIdAndSecContext().

Referenced by apply_handle_delete(), apply_handle_insert(), apply_handle_update(), ExecuteTruncateGuts(), and LogicalRepSyncTableStart().

◆ SwitchToUntrustedUser()

void SwitchToUntrustedUser ( Oid  userid,
UserContext context 
)

Definition at line 33 of file usercontext.c.

34{
35 /* Get the current user ID and security context. */
37 &context->save_sec_context);
38
39 /* Check that we have sufficient privileges to assume the target role. */
40 if (!member_can_set_role(context->save_userid, userid))
42 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
43 errmsg("role \"%s\" cannot SET ROLE to \"%s\"",
44 GetUserNameFromId(context->save_userid, false),
45 GetUserNameFromId(userid, false))));
46
47 /*
48 * Try to prevent the user to which we're switching from assuming the
49 * privileges of the current user, unless they can SET ROLE to that user
50 * anyway.
51 */
52 if (member_can_set_role(userid, context->save_userid))
53 {
54 /*
55 * Each user can SET ROLE to the other, so there's no point in
56 * imposing any security restrictions. Just let the user do whatever
57 * they want.
58 */
60 context->save_nestlevel = -1;
61 }
62 else
63 {
64 int sec_context = context->save_sec_context;
65
66 /*
67 * This user can SET ROLE to the target user, but not the other way
68 * around, so protect ourselves against the target user by setting
69 * SECURITY_RESTRICTED_OPERATION to prevent certain changes to the
70 * session state. Also set up a new GUC nest level, so that we can
71 * roll back any GUC changes that may be made by code running as the
72 * target user, inasmuch as they could be malicious.
73 */
74 sec_context |= SECURITY_RESTRICTED_OPERATION;
75 SetUserIdAndSecContext(userid, sec_context);
77 }
78}
bool member_can_set_role(Oid member, Oid role)
Definition: acl.c:5302
int errcode(int sqlerrcode)
Definition: elog.c:853
int errmsg(const char *fmt,...)
Definition: elog.c:1070
#define ERROR
Definition: elog.h:39
#define ereport(elevel,...)
Definition: elog.h:149
int NewGUCNestLevel(void)
Definition: guc.c:2235
#define SECURITY_RESTRICTED_OPERATION
Definition: miscadmin.h:318
void GetUserIdAndSecContext(Oid *userid, int *sec_context)
Definition: miscinit.c:660
char * GetUserNameFromId(Oid roleid, bool noerr)
Definition: miscinit.c:1036

References ereport, errcode(), errmsg(), ERROR, GetUserIdAndSecContext(), GetUserNameFromId(), member_can_set_role(), NewGUCNestLevel(), UserContext::save_nestlevel, UserContext::save_sec_context, UserContext::save_userid, SECURITY_RESTRICTED_OPERATION, and SetUserIdAndSecContext().

Referenced by apply_handle_delete(), apply_handle_insert(), apply_handle_update(), ExecuteTruncateGuts(), and LogicalRepSyncTableStart().