Re: BUG #19483: pg_upgrade fails with orphan records in pg_init_priv catalog table
Laurenz Albe <laurenz.albe@cybertec.at>
From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Hüseyin Demir <huseyin.d3r@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>
Cc: Greg Sabino Mullane <htamfids@gmail.com>, pgsql-bugs@lists.postgresql.org
Date: 2026-06-24T09:56:58Z
Lists: pgsql-bugs
On Wed, 2026-06-24 at 08:14 +0200, Hüseyin Demir wrote: > You can see the attached v5 patch. Basically, v5 solves the problem by > adding dangling-role filtering directly inside buildACLCommands(). A > role name that consists entirely of digits is potentially a dangling > OID reference and it resolves by querying pg_authid once at the start > of the dump for any legitimate all-digit role names. The patch looks good and passes my tests. It fails the regression tests on my system with pg_dump: error: query failed: ERROR: permission denied for table pg_authid I think you should use pg_roles rather than pg_authid, so that it remains possible to use pg_dump with a non-superuser. While the technique of fetching the all-numeric role names in advance is certainly much cheaper than running a complicated subquery for every object dumped, I have one remaining doubt: What if there is a dangling role OID 65432 in pg_init_privs *and* a valid role with the same name (but a different OID)? Then the patch would tacitly restore the dangling reference to the latter role. Apart from the result being wrong, I wonder if that could be used for a privilege escalation attack: you detect that there are dangling pg_init_privs entries that grant high privileges. Then you abuse your CREATEROLE to create a role with the same name as the dangling OID. After a dump and restore, your role has been assigned those privileges. Perhaps it would be a better approach to fetch the data from pg_init_privs once at the beginning of the dump, ignoring the entries with dangling OIDs? Yours, Laurenz Albe