Refactor permissions checks for large objects.
Tom Lane <tgl@sss.pgh.pa.us>
Refactor permissions checks for large objects. Up to now, ACL checks for large objects happened at the level of the SQL-callable functions, which led to CVE-2017-7548 because of a missing check. Push them down to be enforced in inv_api.c as much as possible, in hopes of preventing future bugs. This does have the effect of moving read and write permission errors to happen at lo_open time not loread or lowrite time, but that seems acceptable. Michael Paquier and Tom Lane Discussion: https://postgr.es/m/CAB7nPqRHmNOYbETnc_2EjsuzSM00Z+BWKv9sy6tnvSd5gWT_JA@mail.gmail.com
Files
| Path | Change | +/− |
|---|---|---|
| src/backend/catalog/objectaddress.c | modified | +1 −1 |
| src/backend/libpq/be-fsstubs.c | modified | +17 −71 |
| src/backend/storage/large_object/inv_api.c | modified | +85 −23 |
| src/backend/utils/misc/guc.c | modified | +6 −6 |
| src/include/libpq/be-fsstubs.h | modified | +0 −5 |
| src/include/storage/large_object.h | modified | +8 −5 |
Discussion
- Simplify ACL handling for large objects and removal of superuser() checks 31 messages · 2017-08-14 → 2017-11-15