PostgreSQL Source Code  git master
usercontext.c File Reference
#include "postgres.h"
#include "miscadmin.h"
#include "utils/acl.h"
#include "utils/guc.h"
#include "utils/usercontext.h"
Include dependency graph for usercontext.c:

Go to the source code of this file.

Functions

void SwitchToUntrustedUser (Oid userid, UserContext *context)
 
void RestoreUserContext (UserContext *context)
 

Function Documentation

◆ RestoreUserContext()

void RestoreUserContext ( UserContext context)

Definition at line 87 of file usercontext.c.

88 {
89  if (context->save_nestlevel != -1)
90  AtEOXact_GUC(false, context->save_nestlevel);
91  SetUserIdAndSecContext(context->save_userid, context->save_sec_context);
92 }
void AtEOXact_GUC(bool isCommit, int nestLevel)
Definition: guc.c:2264
void SetUserIdAndSecContext(Oid userid, int sec_context)
Definition: miscinit.c:642
tree context
Definition: radixtree.h:1829

References AtEOXact_GUC(), context, and SetUserIdAndSecContext().

Referenced by apply_handle_delete(), apply_handle_insert(), apply_handle_update(), ExecuteTruncateGuts(), and LogicalRepSyncTableStart().

◆ SwitchToUntrustedUser()

void SwitchToUntrustedUser ( Oid  userid,
UserContext context 
)

Definition at line 33 of file usercontext.c.

34 {
35  /* Get the current user ID and security context. */
36  GetUserIdAndSecContext(&context->save_userid,
37  &context->save_sec_context);
38 
39  /* Check that we have sufficient privileges to assume the target role. */
40  if (!member_can_set_role(context->save_userid, userid))
41  ereport(ERROR,
42  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
43  errmsg("role \"%s\" cannot SET ROLE to \"%s\"",
44  GetUserNameFromId(context->save_userid, false),
45  GetUserNameFromId(userid, false))));
46 
47  /*
48  * Try to prevent the user to which we're switching from assuming the
49  * privileges of the current user, unless they can SET ROLE to that user
50  * anyway.
51  */
52  if (member_can_set_role(userid, context->save_userid))
53  {
54  /*
55  * Each user can SET ROLE to the other, so there's no point in
56  * imposing any security restrictions. Just let the user do whatever
57  * they want.
58  */
59  SetUserIdAndSecContext(userid, context->save_sec_context);
60  context->save_nestlevel = -1;
61  }
62  else
63  {
64  int sec_context = context->save_sec_context;
65 
66  /*
67  * This user can SET ROLE to the target user, but not the other way
68  * around, so protect ourselves against the target user by setting
69  * SECURITY_RESTRICTED_OPERATION to prevent certain changes to the
70  * session state. Also set up a new GUC nest level, so that we can
71  * roll back any GUC changes that may be made by code running as the
72  * target user, inasmuch as they could be malicious.
73  */
74  sec_context |= SECURITY_RESTRICTED_OPERATION;
75  SetUserIdAndSecContext(userid, sec_context);
76  context->save_nestlevel = NewGUCNestLevel();
77  }
78 }
bool member_can_set_role(Oid member, Oid role)
Definition: acl.c:5162
int errcode(int sqlerrcode)
Definition: elog.c:859
int errmsg(const char *fmt,...)
Definition: elog.c:1072
#define ERROR
Definition: elog.h:39
#define ereport(elevel,...)
Definition: elog.h:149
int NewGUCNestLevel(void)
Definition: guc.c:2237
#define SECURITY_RESTRICTED_OPERATION
Definition: miscadmin.h:315
char * GetUserNameFromId(Oid roleid, bool noerr)
Definition: miscinit.c:980
void GetUserIdAndSecContext(Oid *userid, int *sec_context)
Definition: miscinit.c:635

References context, ereport, errcode(), errmsg(), ERROR, GetUserIdAndSecContext(), GetUserNameFromId(), member_can_set_role(), NewGUCNestLevel(), SECURITY_RESTRICTED_OPERATION, and SetUserIdAndSecContext().

Referenced by apply_handle_delete(), apply_handle_insert(), apply_handle_update(), ExecuteTruncateGuts(), and LogicalRepSyncTableStart().