1
/*-------------------------------------------------------------------------
4
* Routines to check access control permissions.
6
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
7
* Portions Copyright (c) 1994, Regents of the University of California
11
* $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.108 2004-12-31 21:59:38 pgsql Exp $
16
*-------------------------------------------------------------------------
20
#include "access/heapam.h"
21
#include "catalog/catalog.h"
22
#include "catalog/catname.h"
23
#include "catalog/indexing.h"
24
#include "catalog/namespace.h"
25
#include "catalog/pg_conversion.h"
26
#include "catalog/pg_database.h"
27
#include "catalog/pg_group.h"
28
#include "catalog/pg_language.h"
29
#include "catalog/pg_namespace.h"
30
#include "catalog/pg_opclass.h"
31
#include "catalog/pg_operator.h"
32
#include "catalog/pg_proc.h"
33
#include "catalog/pg_shadow.h"
34
#include "catalog/pg_tablespace.h"
35
#include "catalog/pg_type.h"
36
#include "miscadmin.h"
37
#include "parser/parse_func.h"
38
#include "utils/acl.h"
39
#include "utils/fmgroids.h"
40
#include "utils/lsyscache.h"
41
#include "utils/syscache.h"
44
static void ExecuteGrantStmt_Relation(GrantStmt *stmt);
45
static void ExecuteGrantStmt_Database(GrantStmt *stmt);
46
static void ExecuteGrantStmt_Function(GrantStmt *stmt);
47
static void ExecuteGrantStmt_Language(GrantStmt *stmt);
48
static void ExecuteGrantStmt_Namespace(GrantStmt *stmt);
49
static void ExecuteGrantStmt_Tablespace(GrantStmt *stmt);
51
static const char *privilege_to_string(AclMode privilege);
61
elog(DEBUG2, "acl size = %d, # acls = %d",
62
ACL_SIZE(acl), ACL_NUM(acl));
64
for (i = 0; i < ACL_NUM(acl); ++i)
65
elog(DEBUG2, " acl[%d]: %s", i,
66
DatumGetCString(DirectFunctionCall1(aclitemout,
67
PointerGetDatum(aip + i))));
73
* Determine the effective grantor ID for a GRANT or REVOKE operation.
75
* Ordinarily this is just the current user, but when a superuser does
76
* GRANT or REVOKE, we pretend he is the object owner. This ensures that
77
* all granted privileges appear to flow from the object owner, and there
78
* are never multiple "original sources" of a privilege.
81
select_grantor(AclId ownerId)
85
grantorId = GetUserId();
87
/* fast path if no difference */
88
if (grantorId == ownerId)
99
* If is_grant is true, adds the given privileges for the list of
100
* grantees to the existing old_acl. If is_grant is false, the
101
* privileges for the given grantees are removed from old_acl.
103
* NB: the original old_acl is pfree'd.
106
merge_acl_with_grant(Acl *old_acl, bool is_grant,
107
bool grant_option, DropBehavior behavior,
108
List *grantees, AclMode privileges,
109
AclId grantor_uid, AclId owner_uid)
115
modechg = is_grant ? ACL_MODECHG_ADD : ACL_MODECHG_DEL;
124
PrivGrantee *grantee = (PrivGrantee *) lfirst(j);
129
if (grantee->username)
131
aclitem. ai_grantee = get_usesysid(grantee->username);
133
idtype = ACL_IDTYPE_UID;
135
else if (grantee->groupname)
137
aclitem. ai_grantee = get_grosysid(grantee->groupname);
139
idtype = ACL_IDTYPE_GID;
143
aclitem. ai_grantee = ACL_ID_WORLD;
145
idtype = ACL_IDTYPE_WORLD;
149
* Grant options can only be granted to individual users, not
150
* groups or public. The reason is that if a user would re-grant
151
* a privilege that he held through a group having a grant option,
152
* and later the user is removed from the group, the situation is
153
* impossible to clean up.
155
if (is_grant && grant_option && idtype != ACL_IDTYPE_UID)
157
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
158
errmsg("grant options can only be granted to individual users")));
160
aclitem. ai_grantor = grantor_uid;
163
* The asymmetry in the conditions here comes from the spec. In
164
* GRANT, the grant_option flag signals WITH GRANT OPTION, which
165
* means to grant both the basic privilege and its grant option.
166
* But in REVOKE, plain revoke revokes both the basic privilege
167
* and its grant option, while REVOKE GRANT OPTION revokes only
170
ACLITEM_SET_PRIVS_IDTYPE(aclitem,
171
(is_grant || !grant_option) ? privileges : ACL_NO_RIGHTS,
172
(!is_grant || grant_option) ? privileges : ACL_NO_RIGHTS,
175
newer_acl = aclupdate(new_acl, &aclitem, modechg, owner_uid, behavior);
177
/* avoid memory leak when there are many grantees */
191
* Called to execute the utility commands GRANT and REVOKE
194
ExecuteGrantStmt(GrantStmt *stmt)
196
switch (stmt->objtype)
198
case ACL_OBJECT_RELATION:
199
ExecuteGrantStmt_Relation(stmt);
201
case ACL_OBJECT_DATABASE:
202
ExecuteGrantStmt_Database(stmt);
204
case ACL_OBJECT_FUNCTION:
205
ExecuteGrantStmt_Function(stmt);
207
case ACL_OBJECT_LANGUAGE:
208
ExecuteGrantStmt_Language(stmt);
210
case ACL_OBJECT_NAMESPACE:
211
ExecuteGrantStmt_Namespace(stmt);
213
case ACL_OBJECT_TABLESPACE:
214
ExecuteGrantStmt_Tablespace(stmt);
217
elog(ERROR, "unrecognized GrantStmt.objtype: %d",
218
(int) stmt->objtype);
224
ExecuteGrantStmt_Relation(GrantStmt *stmt)
230
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
233
privileges = ACL_ALL_RIGHTS_RELATION;
238
privileges = ACL_NO_RIGHTS;
239
foreach(i, stmt->privileges)
241
AclMode priv = lfirst_int(i);
243
if (priv & ~((AclMode) ACL_ALL_RIGHTS_RELATION))
245
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
246
errmsg("invalid privilege type %s for table",
247
privilege_to_string(priv))));
252
foreach(i, stmt->objects)
254
RangeVar *relvar = (RangeVar *) lfirst(i);
258
Form_pg_class pg_class_tuple;
262
AclMode this_privileges;
268
Datum values[Natts_pg_class];
269
char nulls[Natts_pg_class];
270
char replaces[Natts_pg_class];
273
relation = heap_openr(RelationRelationName, RowExclusiveLock);
274
relOid = RangeVarGetRelid(relvar, false);
275
tuple = SearchSysCache(RELOID,
276
ObjectIdGetDatum(relOid),
278
if (!HeapTupleIsValid(tuple))
279
elog(ERROR, "cache lookup failed for relation %u", relOid);
280
pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple);
282
/* Not sensible to grant on an index */
283
if (pg_class_tuple->relkind == RELKIND_INDEX)
285
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
286
errmsg("\"%s\" is an index",
289
/* Composite types aren't tables either */
290
if (pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE)
292
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
293
errmsg("\"%s\" is a composite type",
296
ownerId = pg_class_tuple->relowner;
297
grantorId = select_grantor(ownerId);
300
* Must be owner or have some privilege on the object (per spec,
301
* any privilege will get you by here). The owner is always
302
* treated as having all grant options.
304
if (pg_class_ownercheck(relOid, GetUserId()))
305
my_goptions = ACL_ALL_RIGHTS_RELATION;
310
my_rights = pg_class_aclmask(relOid,
312
ACL_ALL_RIGHTS_RELATION | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_RELATION),
314
if (my_rights == ACL_NO_RIGHTS)
315
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_CLASS,
317
my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
321
* Restrict the operation to what we can actually grant or revoke,
322
* and issue a warning if appropriate. (For REVOKE this isn't
323
* quite what the spec says to do: the spec seems to want a
324
* warning only if no privilege bits actually change in the ACL.
325
* In practice that behavior seems much too noisy, as well as
326
* inconsistent with the GRANT case.)
328
this_privileges = privileges & my_goptions;
331
if (this_privileges == 0)
333
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
334
errmsg("no privileges were granted")));
335
else if (!all_privs && this_privileges != privileges)
337
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
338
errmsg("not all privileges were granted")));
342
if (this_privileges == 0)
344
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
345
errmsg("no privileges could be revoked")));
346
else if (!all_privs && this_privileges != privileges)
348
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
349
errmsg("not all privileges could be revoked")));
353
* If there's no ACL, substitute the proper default.
355
aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
358
old_acl = acldefault(ACL_OBJECT_RELATION, ownerId);
360
/* get a detoasted copy of the ACL */
361
old_acl = DatumGetAclPCopy(aclDatum);
363
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
364
stmt->grant_option, stmt->behavior,
365
stmt->grantees, this_privileges,
368
/* finished building new ACL value, now insert it */
369
MemSet(values, 0, sizeof(values));
370
MemSet(nulls, ' ', sizeof(nulls));
371
MemSet(replaces, ' ', sizeof(replaces));
373
replaces[Anum_pg_class_relacl - 1] = 'r';
374
values[Anum_pg_class_relacl - 1] = PointerGetDatum(new_acl);
376
newtuple = heap_modifytuple(tuple, relation, values, nulls, replaces);
378
ReleaseSysCache(tuple);
380
simple_heap_update(relation, &newtuple->t_self, newtuple);
382
/* keep the catalog indexes up to date */
383
CatalogUpdateIndexes(relation, newtuple);
387
heap_close(relation, RowExclusiveLock);
392
ExecuteGrantStmt_Database(GrantStmt *stmt)
398
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
401
privileges = ACL_ALL_RIGHTS_DATABASE;
406
privileges = ACL_NO_RIGHTS;
407
foreach(i, stmt->privileges)
409
AclMode priv = lfirst_int(i);
411
if (priv & ~((AclMode) ACL_ALL_RIGHTS_DATABASE))
413
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
414
errmsg("invalid privilege type %s for database",
415
privilege_to_string(priv))));
420
foreach(i, stmt->objects)
422
char *dbname = strVal(lfirst(i));
424
ScanKeyData entry[1];
427
Form_pg_database pg_database_tuple;
431
AclMode this_privileges;
437
Datum values[Natts_pg_database];
438
char nulls[Natts_pg_database];
439
char replaces[Natts_pg_database];
441
relation = heap_openr(DatabaseRelationName, RowExclusiveLock);
442
ScanKeyInit(&entry[0],
443
Anum_pg_database_datname,
444
BTEqualStrategyNumber, F_NAMEEQ,
445
CStringGetDatum(dbname));
446
scan = heap_beginscan(relation, SnapshotNow, 1, entry);
447
tuple = heap_getnext(scan, ForwardScanDirection);
448
if (!HeapTupleIsValid(tuple))
450
(errcode(ERRCODE_UNDEFINED_DATABASE),
451
errmsg("database \"%s\" does not exist", dbname)));
452
pg_database_tuple = (Form_pg_database) GETSTRUCT(tuple);
454
ownerId = pg_database_tuple->datdba;
455
grantorId = select_grantor(ownerId);
458
* Must be owner or have some privilege on the object (per spec,
459
* any privilege will get you by here). The owner is always
460
* treated as having all grant options.
462
if (pg_database_ownercheck(HeapTupleGetOid(tuple), GetUserId()))
463
my_goptions = ACL_ALL_RIGHTS_DATABASE;
468
my_rights = pg_database_aclmask(HeapTupleGetOid(tuple),
470
ACL_ALL_RIGHTS_DATABASE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_DATABASE),
472
if (my_rights == ACL_NO_RIGHTS)
473
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_DATABASE,
474
NameStr(pg_database_tuple->datname));
475
my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
479
* Restrict the operation to what we can actually grant or revoke,
480
* and issue a warning if appropriate. (For REVOKE this isn't
481
* quite what the spec says to do: the spec seems to want a
482
* warning only if no privilege bits actually change in the ACL.
483
* In practice that behavior seems much too noisy, as well as
484
* inconsistent with the GRANT case.)
486
this_privileges = privileges & my_goptions;
489
if (this_privileges == 0)
491
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
492
errmsg("no privileges were granted")));
493
else if (!all_privs && this_privileges != privileges)
495
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
496
errmsg("not all privileges were granted")));
500
if (this_privileges == 0)
502
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
503
errmsg("no privileges could be revoked")));
504
else if (!all_privs && this_privileges != privileges)
506
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
507
errmsg("not all privileges could be revoked")));
511
* If there's no ACL, substitute the proper default.
513
aclDatum = heap_getattr(tuple, Anum_pg_database_datacl,
514
RelationGetDescr(relation), &isNull);
516
old_acl = acldefault(ACL_OBJECT_DATABASE, ownerId);
518
/* get a detoasted copy of the ACL */
519
old_acl = DatumGetAclPCopy(aclDatum);
521
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
522
stmt->grant_option, stmt->behavior,
523
stmt->grantees, this_privileges,
526
/* finished building new ACL value, now insert it */
527
MemSet(values, 0, sizeof(values));
528
MemSet(nulls, ' ', sizeof(nulls));
529
MemSet(replaces, ' ', sizeof(replaces));
531
replaces[Anum_pg_database_datacl - 1] = 'r';
532
values[Anum_pg_database_datacl - 1] = PointerGetDatum(new_acl);
534
newtuple = heap_modifytuple(tuple, relation, values, nulls, replaces);
536
simple_heap_update(relation, &newtuple->t_self, newtuple);
538
/* keep the catalog indexes up to date */
539
CatalogUpdateIndexes(relation, newtuple);
545
heap_close(relation, RowExclusiveLock);
550
ExecuteGrantStmt_Function(GrantStmt *stmt)
556
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
559
privileges = ACL_ALL_RIGHTS_FUNCTION;
564
privileges = ACL_NO_RIGHTS;
565
foreach(i, stmt->privileges)
567
AclMode priv = lfirst_int(i);
569
if (priv & ~((AclMode) ACL_ALL_RIGHTS_FUNCTION))
571
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
572
errmsg("invalid privilege type %s for function",
573
privilege_to_string(priv))));
578
foreach(i, stmt->objects)
580
FuncWithArgs *func = (FuncWithArgs *) lfirst(i);
584
Form_pg_proc pg_proc_tuple;
588
AclMode this_privileges;
594
Datum values[Natts_pg_proc];
595
char nulls[Natts_pg_proc];
596
char replaces[Natts_pg_proc];
598
oid = LookupFuncNameTypeNames(func->funcname, func->funcargs, false);
600
relation = heap_openr(ProcedureRelationName, RowExclusiveLock);
601
tuple = SearchSysCache(PROCOID,
602
ObjectIdGetDatum(oid),
604
if (!HeapTupleIsValid(tuple))
605
elog(ERROR, "cache lookup failed for function %u", oid);
606
pg_proc_tuple = (Form_pg_proc) GETSTRUCT(tuple);
608
ownerId = pg_proc_tuple->proowner;
609
grantorId = select_grantor(ownerId);
612
* Must be owner or have some privilege on the object (per spec,
613
* any privilege will get you by here). The owner is always
614
* treated as having all grant options.
616
if (pg_proc_ownercheck(oid, GetUserId()))
617
my_goptions = ACL_ALL_RIGHTS_FUNCTION;
622
my_rights = pg_proc_aclmask(oid,
624
ACL_ALL_RIGHTS_FUNCTION | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_FUNCTION),
626
if (my_rights == ACL_NO_RIGHTS)
627
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_PROC,
628
NameStr(pg_proc_tuple->proname));
629
my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
633
* Restrict the operation to what we can actually grant or revoke,
634
* and issue a warning if appropriate. (For REVOKE this isn't
635
* quite what the spec says to do: the spec seems to want a
636
* warning only if no privilege bits actually change in the ACL.
637
* In practice that behavior seems much too noisy, as well as
638
* inconsistent with the GRANT case.)
640
this_privileges = privileges & my_goptions;
643
if (this_privileges == 0)
645
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
646
errmsg("no privileges were granted")));
647
else if (!all_privs && this_privileges != privileges)
649
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
650
errmsg("not all privileges were granted")));
654
if (this_privileges == 0)
656
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
657
errmsg("no privileges could be revoked")));
658
else if (!all_privs && this_privileges != privileges)
660
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
661
errmsg("not all privileges could be revoked")));
665
* If there's no ACL, substitute the proper default.
667
aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl,
670
old_acl = acldefault(ACL_OBJECT_FUNCTION, ownerId);
672
/* get a detoasted copy of the ACL */
673
old_acl = DatumGetAclPCopy(aclDatum);
675
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
676
stmt->grant_option, stmt->behavior,
677
stmt->grantees, this_privileges,
680
/* finished building new ACL value, now insert it */
681
MemSet(values, 0, sizeof(values));
682
MemSet(nulls, ' ', sizeof(nulls));
683
MemSet(replaces, ' ', sizeof(replaces));
685
replaces[Anum_pg_proc_proacl - 1] = 'r';
686
values[Anum_pg_proc_proacl - 1] = PointerGetDatum(new_acl);
688
newtuple = heap_modifytuple(tuple, relation, values, nulls, replaces);
690
ReleaseSysCache(tuple);
692
simple_heap_update(relation, &newtuple->t_self, newtuple);
694
/* keep the catalog indexes up to date */
695
CatalogUpdateIndexes(relation, newtuple);
699
heap_close(relation, RowExclusiveLock);
704
ExecuteGrantStmt_Language(GrantStmt *stmt)
710
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
713
privileges = ACL_ALL_RIGHTS_LANGUAGE;
718
privileges = ACL_NO_RIGHTS;
719
foreach(i, stmt->privileges)
721
AclMode priv = lfirst_int(i);
723
if (priv & ~((AclMode) ACL_ALL_RIGHTS_LANGUAGE))
725
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
726
errmsg("invalid privilege type %s for language",
727
privilege_to_string(priv))));
732
foreach(i, stmt->objects)
734
char *langname = strVal(lfirst(i));
737
Form_pg_language pg_language_tuple;
741
AclMode this_privileges;
747
Datum values[Natts_pg_language];
748
char nulls[Natts_pg_language];
749
char replaces[Natts_pg_language];
751
relation = heap_openr(LanguageRelationName, RowExclusiveLock);
752
tuple = SearchSysCache(LANGNAME,
753
PointerGetDatum(langname),
755
if (!HeapTupleIsValid(tuple))
757
(errcode(ERRCODE_UNDEFINED_OBJECT),
758
errmsg("language \"%s\" does not exist", langname)));
759
pg_language_tuple = (Form_pg_language) GETSTRUCT(tuple);
761
if (!pg_language_tuple->lanpltrusted)
763
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
764
errmsg("language \"%s\" is not trusted", langname),
765
errhint("Only superusers may use untrusted languages.")));
768
* Note: for now, languages are treated as owned by the bootstrap
769
* user. We should add an owner column to pg_language instead.
771
ownerId = BOOTSTRAP_USESYSID;
772
grantorId = select_grantor(ownerId);
775
* Must be owner or have some privilege on the object (per spec,
776
* any privilege will get you by here). The owner is always
777
* treated as having all grant options.
779
if (superuser()) /* XXX no ownercheck() available */
780
my_goptions = ACL_ALL_RIGHTS_LANGUAGE;
785
my_rights = pg_language_aclmask(HeapTupleGetOid(tuple),
787
ACL_ALL_RIGHTS_LANGUAGE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_LANGUAGE),
789
if (my_rights == ACL_NO_RIGHTS)
790
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_LANGUAGE,
791
NameStr(pg_language_tuple->lanname));
792
my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
796
* Restrict the operation to what we can actually grant or revoke,
797
* and issue a warning if appropriate. (For REVOKE this isn't
798
* quite what the spec says to do: the spec seems to want a
799
* warning only if no privilege bits actually change in the ACL.
800
* In practice that behavior seems much too noisy, as well as
801
* inconsistent with the GRANT case.)
803
this_privileges = privileges & my_goptions;
806
if (this_privileges == 0)
808
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
809
errmsg("no privileges were granted")));
810
else if (!all_privs && this_privileges != privileges)
812
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
813
errmsg("not all privileges were granted")));
817
if (this_privileges == 0)
819
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
820
errmsg("no privileges could be revoked")));
821
else if (!all_privs && this_privileges != privileges)
823
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
824
errmsg("not all privileges could be revoked")));
828
* If there's no ACL, substitute the proper default.
830
aclDatum = SysCacheGetAttr(LANGNAME, tuple, Anum_pg_language_lanacl,
833
old_acl = acldefault(ACL_OBJECT_LANGUAGE, ownerId);
835
/* get a detoasted copy of the ACL */
836
old_acl = DatumGetAclPCopy(aclDatum);
838
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
839
stmt->grant_option, stmt->behavior,
840
stmt->grantees, this_privileges,
843
/* finished building new ACL value, now insert it */
844
MemSet(values, 0, sizeof(values));
845
MemSet(nulls, ' ', sizeof(nulls));
846
MemSet(replaces, ' ', sizeof(replaces));
848
replaces[Anum_pg_language_lanacl - 1] = 'r';
849
values[Anum_pg_language_lanacl - 1] = PointerGetDatum(new_acl);
851
newtuple = heap_modifytuple(tuple, relation, values, nulls, replaces);
853
ReleaseSysCache(tuple);
855
simple_heap_update(relation, &newtuple->t_self, newtuple);
857
/* keep the catalog indexes up to date */
858
CatalogUpdateIndexes(relation, newtuple);
862
heap_close(relation, RowExclusiveLock);
867
ExecuteGrantStmt_Namespace(GrantStmt *stmt)
873
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
876
privileges = ACL_ALL_RIGHTS_NAMESPACE;
881
privileges = ACL_NO_RIGHTS;
882
foreach(i, stmt->privileges)
884
AclMode priv = lfirst_int(i);
886
if (priv & ~((AclMode) ACL_ALL_RIGHTS_NAMESPACE))
888
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
889
errmsg("invalid privilege type %s for schema",
890
privilege_to_string(priv))));
895
foreach(i, stmt->objects)
897
char *nspname = strVal(lfirst(i));
900
Form_pg_namespace pg_namespace_tuple;
904
AclMode this_privileges;
910
Datum values[Natts_pg_namespace];
911
char nulls[Natts_pg_namespace];
912
char replaces[Natts_pg_namespace];
914
relation = heap_openr(NamespaceRelationName, RowExclusiveLock);
915
tuple = SearchSysCache(NAMESPACENAME,
916
CStringGetDatum(nspname),
918
if (!HeapTupleIsValid(tuple))
920
(errcode(ERRCODE_UNDEFINED_SCHEMA),
921
errmsg("schema \"%s\" does not exist", nspname)));
922
pg_namespace_tuple = (Form_pg_namespace) GETSTRUCT(tuple);
924
ownerId = pg_namespace_tuple->nspowner;
925
grantorId = select_grantor(ownerId);
928
* Must be owner or have some privilege on the object (per spec,
929
* any privilege will get you by here). The owner is always
930
* treated as having all grant options.
932
if (pg_namespace_ownercheck(HeapTupleGetOid(tuple), GetUserId()))
933
my_goptions = ACL_ALL_RIGHTS_NAMESPACE;
938
my_rights = pg_namespace_aclmask(HeapTupleGetOid(tuple),
940
ACL_ALL_RIGHTS_NAMESPACE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_NAMESPACE),
942
if (my_rights == ACL_NO_RIGHTS)
943
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_NAMESPACE,
945
my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
949
* Restrict the operation to what we can actually grant or revoke,
950
* and issue a warning if appropriate. (For REVOKE this isn't
951
* quite what the spec says to do: the spec seems to want a
952
* warning only if no privilege bits actually change in the ACL.
953
* In practice that behavior seems much too noisy, as well as
954
* inconsistent with the GRANT case.)
956
this_privileges = privileges & my_goptions;
959
if (this_privileges == 0)
961
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
962
errmsg("no privileges were granted")));
963
else if (!all_privs && this_privileges != privileges)
965
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
966
errmsg("not all privileges were granted")));
970
if (this_privileges == 0)
972
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
973
errmsg("no privileges could be revoked")));
974
else if (!all_privs && this_privileges != privileges)
976
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
977
errmsg("not all privileges could be revoked")));
981
* If there's no ACL, substitute the proper default.
983
aclDatum = SysCacheGetAttr(NAMESPACENAME, tuple,
984
Anum_pg_namespace_nspacl,
987
old_acl = acldefault(ACL_OBJECT_NAMESPACE, ownerId);
989
/* get a detoasted copy of the ACL */
990
old_acl = DatumGetAclPCopy(aclDatum);
992
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
993
stmt->grant_option, stmt->behavior,
994
stmt->grantees, this_privileges,
997
/* finished building new ACL value, now insert it */
998
MemSet(values, 0, sizeof(values));
999
MemSet(nulls, ' ', sizeof(nulls));
1000
MemSet(replaces, ' ', sizeof(replaces));
1002
replaces[Anum_pg_namespace_nspacl - 1] = 'r';
1003
values[Anum_pg_namespace_nspacl - 1] = PointerGetDatum(new_acl);
1005
newtuple = heap_modifytuple(tuple, relation, values, nulls, replaces);
1007
ReleaseSysCache(tuple);
1009
simple_heap_update(relation, &newtuple->t_self, newtuple);
1011
/* keep the catalog indexes up to date */
1012
CatalogUpdateIndexes(relation, newtuple);
1016
heap_close(relation, RowExclusiveLock);
1021
ExecuteGrantStmt_Tablespace(GrantStmt *stmt)
1027
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
1030
privileges = ACL_ALL_RIGHTS_TABLESPACE;
1035
privileges = ACL_NO_RIGHTS;
1036
foreach(i, stmt->privileges)
1038
AclMode priv = lfirst_int(i);
1040
if (priv & ~((AclMode) ACL_ALL_RIGHTS_TABLESPACE))
1042
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
1043
errmsg("invalid privilege type %s for tablespace",
1044
privilege_to_string(priv))));
1049
foreach(i, stmt->objects)
1051
char *spcname = strVal(lfirst(i));
1053
ScanKeyData entry[1];
1056
Form_pg_tablespace pg_tablespace_tuple;
1059
AclMode my_goptions;
1060
AclMode this_privileges;
1066
Datum values[Natts_pg_tablespace];
1067
char nulls[Natts_pg_tablespace];
1068
char replaces[Natts_pg_tablespace];
1070
relation = heap_openr(TableSpaceRelationName, RowExclusiveLock);
1071
ScanKeyInit(&entry[0],
1072
Anum_pg_tablespace_spcname,
1073
BTEqualStrategyNumber, F_NAMEEQ,
1074
CStringGetDatum(spcname));
1075
scan = heap_beginscan(relation, SnapshotNow, 1, entry);
1076
tuple = heap_getnext(scan, ForwardScanDirection);
1077
if (!HeapTupleIsValid(tuple))
1079
(errcode(ERRCODE_UNDEFINED_OBJECT),
1080
errmsg("tablespace \"%s\" does not exist", spcname)));
1081
pg_tablespace_tuple = (Form_pg_tablespace) GETSTRUCT(tuple);
1083
ownerId = pg_tablespace_tuple->spcowner;
1084
grantorId = select_grantor(ownerId);
1087
* Must be owner or have some privilege on the object (per spec,
1088
* any privilege will get you by here). The owner is always
1089
* treated as having all grant options.
1091
if (pg_tablespace_ownercheck(HeapTupleGetOid(tuple), GetUserId()))
1092
my_goptions = ACL_ALL_RIGHTS_TABLESPACE;
1097
my_rights = pg_tablespace_aclmask(HeapTupleGetOid(tuple),
1099
ACL_ALL_RIGHTS_TABLESPACE | ACL_GRANT_OPTION_FOR(ACL_ALL_RIGHTS_TABLESPACE),
1101
if (my_rights == ACL_NO_RIGHTS)
1102
aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_TABLESPACE,
1104
my_goptions = ACL_OPTION_TO_PRIVS(my_rights);
1108
* Restrict the operation to what we can actually grant or revoke,
1109
* and issue a warning if appropriate. (For REVOKE this isn't
1110
* quite what the spec says to do: the spec seems to want a
1111
* warning only if no privilege bits actually change in the ACL.
1112
* In practice that behavior seems much too noisy, as well as
1113
* inconsistent with the GRANT case.)
1115
this_privileges = privileges & my_goptions;
1118
if (this_privileges == 0)
1120
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
1121
errmsg("no privileges were granted")));
1122
else if (!all_privs && this_privileges != privileges)
1124
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
1125
errmsg("not all privileges were granted")));
1129
if (this_privileges == 0)
1131
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
1132
errmsg("no privileges could be revoked")));
1133
else if (!all_privs && this_privileges != privileges)
1135
(errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
1136
errmsg("not all privileges could be revoked")));
1140
* If there's no ACL, substitute the proper default.
1142
aclDatum = heap_getattr(tuple, Anum_pg_tablespace_spcacl,
1143
RelationGetDescr(relation), &isNull);
1145
old_acl = acldefault(ACL_OBJECT_TABLESPACE, ownerId);
1147
/* get a detoasted copy of the ACL */
1148
old_acl = DatumGetAclPCopy(aclDatum);
1150
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
1151
stmt->grant_option, stmt->behavior,
1152
stmt->grantees, this_privileges,
1153
grantorId, ownerId);
1155
/* finished building new ACL value, now insert it */
1156
MemSet(values, 0, sizeof(values));
1157
MemSet(nulls, ' ', sizeof(nulls));
1158
MemSet(replaces, ' ', sizeof(replaces));
1160
replaces[Anum_pg_tablespace_spcacl - 1] = 'r';
1161
values[Anum_pg_tablespace_spcacl - 1] = PointerGetDatum(new_acl);
1163
newtuple = heap_modifytuple(tuple, relation, values, nulls, replaces);
1165
simple_heap_update(relation, &newtuple->t_self, newtuple);
1167
/* keep the catalog indexes up to date */
1168
CatalogUpdateIndexes(relation, newtuple);
1173
heap_close(relation, RowExclusiveLock);
1179
privilege_to_string(AclMode privilege)
1193
case ACL_REFERENCES:
1194
return "REFERENCES";
1203
case ACL_CREATE_TEMP:
1206
elog(ERROR, "unrecognized privilege: %d", (int) privilege);
1208
return NULL; /* appease compiler */
1213
get_grosysid(char *groname)
1218
tuple = SearchSysCache(GRONAME,
1219
PointerGetDatum(groname),
1221
if (HeapTupleIsValid(tuple))
1223
id = ((Form_pg_group) GETSTRUCT(tuple))->grosysid;
1224
ReleaseSysCache(tuple);
1228
(errcode(ERRCODE_UNDEFINED_OBJECT),
1229
errmsg("group \"%s\" does not exist", groname)));
1234
* Convert group ID to name, or return NULL if group can't be found
1237
get_groname(AclId grosysid)
1242
tuple = SearchSysCache(GROSYSID,
1243
ObjectIdGetDatum(grosysid),
1245
if (HeapTupleIsValid(tuple))
1247
name = pstrdup(NameStr(((Form_pg_group) GETSTRUCT(tuple))->groname));
1248
ReleaseSysCache(tuple);
1255
* Standardized reporting of aclcheck permissions failures.
1257
* Note: we do not double-quote the %s's below, because many callers
1258
* supply strings that might be already quoted.
1261
static const char *const no_priv_msg[MAX_ACL_KIND] =
1263
/* ACL_KIND_CLASS */
1264
gettext_noop("permission denied for relation %s"),
1265
/* ACL_KIND_DATABASE */
1266
gettext_noop("permission denied for database %s"),
1268
gettext_noop("permission denied for function %s"),
1270
gettext_noop("permission denied for operator %s"),
1272
gettext_noop("permission denied for type %s"),
1273
/* ACL_KIND_LANGUAGE */
1274
gettext_noop("permission denied for language %s"),
1275
/* ACL_KIND_NAMESPACE */
1276
gettext_noop("permission denied for schema %s"),
1277
/* ACL_KIND_OPCLASS */
1278
gettext_noop("permission denied for operator class %s"),
1279
/* ACL_KIND_CONVERSION */
1280
gettext_noop("permission denied for conversion %s"),
1281
/* ACL_KIND_TABLESPACE */
1282
gettext_noop("permission denied for tablespace %s")
1285
static const char *const not_owner_msg[MAX_ACL_KIND] =
1287
/* ACL_KIND_CLASS */
1288
gettext_noop("must be owner of relation %s"),
1289
/* ACL_KIND_DATABASE */
1290
gettext_noop("must be owner of database %s"),
1292
gettext_noop("must be owner of function %s"),
1294
gettext_noop("must be owner of operator %s"),
1296
gettext_noop("must be owner of type %s"),
1297
/* ACL_KIND_LANGUAGE */
1298
gettext_noop("must be owner of language %s"),
1299
/* ACL_KIND_NAMESPACE */
1300
gettext_noop("must be owner of schema %s"),
1301
/* ACL_KIND_OPCLASS */
1302
gettext_noop("must be owner of operator class %s"),
1303
/* ACL_KIND_CONVERSION */
1304
gettext_noop("must be owner of conversion %s"),
1305
/* ACL_KIND_TABLESPACE */
1306
gettext_noop("must be owner of tablespace %s")
1311
aclcheck_error(AclResult aclerr, AclObjectKind objectkind,
1312
const char *objectname)
1317
/* no error, so return to caller */
1319
case ACLCHECK_NO_PRIV:
1321
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1322
errmsg(no_priv_msg[objectkind], objectname)));
1324
case ACLCHECK_NOT_OWNER:
1326
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1327
errmsg(not_owner_msg[objectkind], objectname)));
1330
elog(ERROR, "unrecognized AclResult: %d", (int) aclerr);
1337
* Exported routine for examining a user's privileges for a table
1339
* See aclmask() for a description of the API.
1341
* Note: we give lookup failure the full ereport treatment because the
1342
* has_table_privilege() family of functions allow users to pass
1343
* any random OID to this function. Likewise for the sibling functions
1347
pg_class_aclmask(Oid table_oid, AclId userid,
1348
AclMode mask, AclMaskHow how)
1354
Form_pg_class classForm;
1361
* Validate userid, find out if he is superuser, also get usecatupd
1363
tuple = SearchSysCache(SHADOWSYSID,
1364
ObjectIdGetDatum(userid),
1366
if (!HeapTupleIsValid(tuple))
1368
(errcode(ERRCODE_UNDEFINED_OBJECT),
1369
errmsg("user with ID %u does not exist", userid)));
1371
usecatupd = ((Form_pg_shadow) GETSTRUCT(tuple))->usecatupd;
1373
ReleaseSysCache(tuple);
1375
usesuper = superuser_arg(userid);
1378
* Now get the relation's tuple from pg_class
1380
tuple = SearchSysCache(RELOID,
1381
ObjectIdGetDatum(table_oid),
1383
if (!HeapTupleIsValid(tuple))
1385
(errcode(ERRCODE_UNDEFINED_TABLE),
1386
errmsg("relation with OID %u does not exist",
1388
classForm = (Form_pg_class) GETSTRUCT(tuple);
1391
* Deny anyone permission to update a system catalog unless
1392
* pg_shadow.usecatupd is set. (This is to let superusers protect
1393
* themselves from themselves.) Also allow it if
1394
* allowSystemTableMods.
1396
* As of 7.4 we have some updatable system views; those shouldn't be
1397
* protected in this way. Assume the view rules can take care of
1400
if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE)) &&
1401
IsSystemClass(classForm) &&
1402
classForm->relkind != RELKIND_VIEW &&
1404
!allowSystemTableMods)
1407
elog(DEBUG2, "permission denied for system catalog update");
1409
mask &= ~(ACL_INSERT | ACL_UPDATE | ACL_DELETE);
1413
* Otherwise, superusers bypass all permission-checking.
1418
elog(DEBUG2, "%u is superuser, home free", userid);
1420
ReleaseSysCache(tuple);
1425
* Normal case: get the relation's ACL from pg_class
1427
ownerId = classForm->relowner;
1429
aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
1433
/* No ACL, so build default ACL */
1434
acl = acldefault(ACL_OBJECT_RELATION, ownerId);
1435
aclDatum = (Datum) 0;
1439
/* detoast rel's ACL if necessary */
1440
acl = DatumGetAclP(aclDatum);
1443
result = aclmask(acl, userid, ownerId, mask, how);
1445
/* if we have a detoasted copy, free it */
1446
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
1449
ReleaseSysCache(tuple);
1455
* Exported routine for examining a user's privileges for a database
1458
pg_database_aclmask(Oid db_oid, AclId userid,
1459
AclMode mask, AclMaskHow how)
1462
Relation pg_database;
1463
ScanKeyData entry[1];
1471
/* Superusers bypass all permission checking. */
1472
if (superuser_arg(userid))
1476
* Get the database's ACL from pg_database
1478
* There's no syscache for pg_database, so must look the hard way
1480
pg_database = heap_openr(DatabaseRelationName, AccessShareLock);
1481
ScanKeyInit(&entry[0],
1482
ObjectIdAttributeNumber,
1483
BTEqualStrategyNumber, F_OIDEQ,
1484
ObjectIdGetDatum(db_oid));
1485
scan = heap_beginscan(pg_database, SnapshotNow, 1, entry);
1486
tuple = heap_getnext(scan, ForwardScanDirection);
1487
if (!HeapTupleIsValid(tuple))
1489
(errcode(ERRCODE_UNDEFINED_DATABASE),
1490
errmsg("database with OID %u does not exist", db_oid)));
1492
ownerId = ((Form_pg_database) GETSTRUCT(tuple))->datdba;
1494
aclDatum = heap_getattr(tuple, Anum_pg_database_datacl,
1495
RelationGetDescr(pg_database), &isNull);
1499
/* No ACL, so build default ACL */
1500
acl = acldefault(ACL_OBJECT_DATABASE, ownerId);
1501
aclDatum = (Datum) 0;
1505
/* detoast ACL if necessary */
1506
acl = DatumGetAclP(aclDatum);
1509
result = aclmask(acl, userid, ownerId, mask, how);
1511
/* if we have a detoasted copy, free it */
1512
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
1516
heap_close(pg_database, AccessShareLock);
1522
* Exported routine for examining a user's privileges for a function
1525
pg_proc_aclmask(Oid proc_oid, AclId userid,
1526
AclMode mask, AclMaskHow how)
1535
/* Superusers bypass all permission checking. */
1536
if (superuser_arg(userid))
1540
* Get the function's ACL from pg_proc
1542
tuple = SearchSysCache(PROCOID,
1543
ObjectIdGetDatum(proc_oid),
1545
if (!HeapTupleIsValid(tuple))
1547
(errcode(ERRCODE_UNDEFINED_FUNCTION),
1548
errmsg("function with OID %u does not exist", proc_oid)));
1550
ownerId = ((Form_pg_proc) GETSTRUCT(tuple))->proowner;
1552
aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl,
1556
/* No ACL, so build default ACL */
1557
acl = acldefault(ACL_OBJECT_FUNCTION, ownerId);
1558
aclDatum = (Datum) 0;
1562
/* detoast ACL if necessary */
1563
acl = DatumGetAclP(aclDatum);
1566
result = aclmask(acl, userid, ownerId, mask, how);
1568
/* if we have a detoasted copy, free it */
1569
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
1572
ReleaseSysCache(tuple);
1578
* Exported routine for examining a user's privileges for a language
1581
pg_language_aclmask(Oid lang_oid, AclId userid,
1582
AclMode mask, AclMaskHow how)
1591
/* Superusers bypass all permission checking. */
1592
if (superuser_arg(userid))
1596
* Get the language's ACL from pg_language
1598
tuple = SearchSysCache(LANGOID,
1599
ObjectIdGetDatum(lang_oid),
1601
if (!HeapTupleIsValid(tuple))
1603
(errcode(ERRCODE_UNDEFINED_OBJECT),
1604
errmsg("language with OID %u does not exist", lang_oid)));
1606
/* XXX pg_language should have an owner column, but doesn't */
1607
ownerId = BOOTSTRAP_USESYSID;
1609
aclDatum = SysCacheGetAttr(LANGOID, tuple, Anum_pg_language_lanacl,
1613
/* No ACL, so build default ACL */
1614
acl = acldefault(ACL_OBJECT_LANGUAGE, ownerId);
1615
aclDatum = (Datum) 0;
1619
/* detoast ACL if necessary */
1620
acl = DatumGetAclP(aclDatum);
1623
result = aclmask(acl, userid, ownerId, mask, how);
1625
/* if we have a detoasted copy, free it */
1626
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
1629
ReleaseSysCache(tuple);
1635
* Exported routine for examining a user's privileges for a namespace
1638
pg_namespace_aclmask(Oid nsp_oid, AclId userid,
1639
AclMode mask, AclMaskHow how)
1648
/* Superusers bypass all permission checking. */
1649
if (superuser_arg(userid))
1653
* If we have been assigned this namespace as a temp namespace, check
1654
* to make sure we have CREATE TEMP permission on the database, and if
1655
* so act as though we have all standard (but not GRANT OPTION)
1656
* permissions on the namespace. If we don't have CREATE TEMP, act as
1657
* though we have only USAGE (and not CREATE) rights.
1659
* This may seem redundant given the check in InitTempTableNamespace, but
1660
* it really isn't since current user ID may have changed since then.
1661
* The upshot of this behavior is that a SECURITY DEFINER function can
1662
* create temp tables that can then be accessed (if permission is
1663
* granted) by code in the same session that doesn't have permissions
1664
* to create temp tables.
1666
* XXX Would it be safe to ereport a special error message as
1667
* InitTempTableNamespace does? Returning zero here means we'll get a
1668
* generic "permission denied for schema pg_temp_N" message, which is
1669
* not remarkably user-friendly.
1671
if (isTempNamespace(nsp_oid))
1673
if (pg_database_aclcheck(MyDatabaseId, GetUserId(),
1674
ACL_CREATE_TEMP) == ACLCHECK_OK)
1675
return mask & ACL_ALL_RIGHTS_NAMESPACE;
1677
return mask & ACL_USAGE;
1681
* Get the schema's ACL from pg_namespace
1683
tuple = SearchSysCache(NAMESPACEOID,
1684
ObjectIdGetDatum(nsp_oid),
1686
if (!HeapTupleIsValid(tuple))
1688
(errcode(ERRCODE_UNDEFINED_SCHEMA),
1689
errmsg("schema with OID %u does not exist", nsp_oid)));
1691
ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner;
1693
aclDatum = SysCacheGetAttr(NAMESPACEOID, tuple, Anum_pg_namespace_nspacl,
1697
/* No ACL, so build default ACL */
1698
acl = acldefault(ACL_OBJECT_NAMESPACE, ownerId);
1699
aclDatum = (Datum) 0;
1703
/* detoast ACL if necessary */
1704
acl = DatumGetAclP(aclDatum);
1707
result = aclmask(acl, userid, ownerId, mask, how);
1709
/* if we have a detoasted copy, free it */
1710
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
1713
ReleaseSysCache(tuple);
1719
* Exported routine for examining a user's privileges for a tablespace
1722
pg_tablespace_aclmask(Oid spc_oid, AclId userid,
1723
AclMode mask, AclMaskHow how)
1726
Relation pg_tablespace;
1727
ScanKeyData entry[1];
1736
* Only shared relations can be stored in global space; don't let even
1737
* superusers override this
1739
if (spc_oid == GLOBALTABLESPACE_OID && !IsBootstrapProcessingMode())
1742
/* Otherwise, superusers bypass all permission checking. */
1743
if (superuser_arg(userid))
1747
* Get the tablespace's ACL from pg_tablespace
1749
* There's no syscache for pg_tablespace, so must look the hard way
1751
pg_tablespace = heap_openr(TableSpaceRelationName, AccessShareLock);
1752
ScanKeyInit(&entry[0],
1753
ObjectIdAttributeNumber,
1754
BTEqualStrategyNumber, F_OIDEQ,
1755
ObjectIdGetDatum(spc_oid));
1756
scan = heap_beginscan(pg_tablespace, SnapshotNow, 1, entry);
1757
tuple = heap_getnext(scan, ForwardScanDirection);
1758
if (!HeapTupleIsValid(tuple))
1760
(errcode(ERRCODE_UNDEFINED_OBJECT),
1761
errmsg("tablespace with OID %u does not exist", spc_oid)));
1763
ownerId = ((Form_pg_tablespace) GETSTRUCT(tuple))->spcowner;
1765
aclDatum = heap_getattr(tuple, Anum_pg_tablespace_spcacl,
1766
RelationGetDescr(pg_tablespace), &isNull);
1770
/* No ACL, so build default ACL */
1771
acl = acldefault(ACL_OBJECT_TABLESPACE, ownerId);
1772
aclDatum = (Datum) 0;
1776
/* detoast ACL if necessary */
1777
acl = DatumGetAclP(aclDatum);
1780
result = aclmask(acl, userid, ownerId, mask, how);
1782
/* if we have a detoasted copy, free it */
1783
if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
1787
heap_close(pg_tablespace, AccessShareLock);
1794
* Exported routine for checking a user's access privileges to a table
1796
* Returns ACLCHECK_OK if the user has any of the privileges identified by
1797
* 'mode'; otherwise returns a suitable error code (in practice, always
1798
* ACLCHECK_NO_PRIV).
1801
pg_class_aclcheck(Oid table_oid, AclId userid, AclMode mode)
1803
if (pg_class_aclmask(table_oid, userid, mode, ACLMASK_ANY) != 0)
1806
return ACLCHECK_NO_PRIV;
1810
* Exported routine for checking a user's access privileges to a database
1813
pg_database_aclcheck(Oid db_oid, AclId userid, AclMode mode)
1815
if (pg_database_aclmask(db_oid, userid, mode, ACLMASK_ANY) != 0)
1818
return ACLCHECK_NO_PRIV;
1822
* Exported routine for checking a user's access privileges to a function
1825
pg_proc_aclcheck(Oid proc_oid, AclId userid, AclMode mode)
1827
if (pg_proc_aclmask(proc_oid, userid, mode, ACLMASK_ANY) != 0)
1830
return ACLCHECK_NO_PRIV;
1834
* Exported routine for checking a user's access privileges to a language
1837
pg_language_aclcheck(Oid lang_oid, AclId userid, AclMode mode)
1839
if (pg_language_aclmask(lang_oid, userid, mode, ACLMASK_ANY) != 0)
1842
return ACLCHECK_NO_PRIV;
1846
* Exported routine for checking a user's access privileges to a namespace
1849
pg_namespace_aclcheck(Oid nsp_oid, AclId userid, AclMode mode)
1851
if (pg_namespace_aclmask(nsp_oid, userid, mode, ACLMASK_ANY) != 0)
1854
return ACLCHECK_NO_PRIV;
1858
* Exported routine for checking a user's access privileges to a tablespace
1861
pg_tablespace_aclcheck(Oid spc_oid, AclId userid, AclMode mode)
1863
if (pg_tablespace_aclmask(spc_oid, userid, mode, ACLMASK_ANY) != 0)
1866
return ACLCHECK_NO_PRIV;
1871
* Ownership check for a relation (specified by OID).
1874
pg_class_ownercheck(Oid class_oid, AclId userid)
1879
/* Superusers bypass all permission checking. */
1880
if (superuser_arg(userid))
1883
tuple = SearchSysCache(RELOID,
1884
ObjectIdGetDatum(class_oid),
1886
if (!HeapTupleIsValid(tuple))
1888
(errcode(ERRCODE_UNDEFINED_TABLE),
1889
errmsg("relation with OID %u does not exist", class_oid)));
1891
owner_id = ((Form_pg_class) GETSTRUCT(tuple))->relowner;
1893
ReleaseSysCache(tuple);
1895
return userid == owner_id;
1899
* Ownership check for a type (specified by OID).
1902
pg_type_ownercheck(Oid type_oid, AclId userid)
1907
/* Superusers bypass all permission checking. */
1908
if (superuser_arg(userid))
1911
tuple = SearchSysCache(TYPEOID,
1912
ObjectIdGetDatum(type_oid),
1914
if (!HeapTupleIsValid(tuple))
1916
(errcode(ERRCODE_UNDEFINED_OBJECT),
1917
errmsg("type with OID %u does not exist", type_oid)));
1919
owner_id = ((Form_pg_type) GETSTRUCT(tuple))->typowner;
1921
ReleaseSysCache(tuple);
1923
return userid == owner_id;
1927
* Ownership check for an operator (specified by OID).
1930
pg_oper_ownercheck(Oid oper_oid, AclId userid)
1935
/* Superusers bypass all permission checking. */
1936
if (superuser_arg(userid))
1939
tuple = SearchSysCache(OPEROID,
1940
ObjectIdGetDatum(oper_oid),
1942
if (!HeapTupleIsValid(tuple))
1944
(errcode(ERRCODE_UNDEFINED_FUNCTION),
1945
errmsg("operator with OID %u does not exist", oper_oid)));
1947
owner_id = ((Form_pg_operator) GETSTRUCT(tuple))->oprowner;
1949
ReleaseSysCache(tuple);
1951
return userid == owner_id;
1955
* Ownership check for a function (specified by OID).
1958
pg_proc_ownercheck(Oid proc_oid, AclId userid)
1963
/* Superusers bypass all permission checking. */
1964
if (superuser_arg(userid))
1967
tuple = SearchSysCache(PROCOID,
1968
ObjectIdGetDatum(proc_oid),
1970
if (!HeapTupleIsValid(tuple))
1972
(errcode(ERRCODE_UNDEFINED_FUNCTION),
1973
errmsg("function with OID %u does not exist", proc_oid)));
1975
owner_id = ((Form_pg_proc) GETSTRUCT(tuple))->proowner;
1977
ReleaseSysCache(tuple);
1979
return userid == owner_id;
1983
* Ownership check for a namespace (specified by OID).
1986
pg_namespace_ownercheck(Oid nsp_oid, AclId userid)
1991
/* Superusers bypass all permission checking. */
1992
if (superuser_arg(userid))
1995
tuple = SearchSysCache(NAMESPACEOID,
1996
ObjectIdGetDatum(nsp_oid),
1998
if (!HeapTupleIsValid(tuple))
2000
(errcode(ERRCODE_UNDEFINED_SCHEMA),
2001
errmsg("schema with OID %u does not exist", nsp_oid)));
2003
owner_id = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner;
2005
ReleaseSysCache(tuple);
2007
return userid == owner_id;
2011
* Ownership check for a tablespace (specified by OID).
2014
pg_tablespace_ownercheck(Oid spc_oid, AclId userid)
2016
Relation pg_tablespace;
2017
ScanKeyData entry[1];
2022
/* Superusers bypass all permission checking. */
2023
if (superuser_arg(userid))
2026
/* There's no syscache for pg_tablespace, so must look the hard way */
2027
pg_tablespace = heap_openr(TableSpaceRelationName, AccessShareLock);
2028
ScanKeyInit(&entry[0],
2029
ObjectIdAttributeNumber,
2030
BTEqualStrategyNumber, F_OIDEQ,
2031
ObjectIdGetDatum(spc_oid));
2032
scan = heap_beginscan(pg_tablespace, SnapshotNow, 1, entry);
2034
spctuple = heap_getnext(scan, ForwardScanDirection);
2036
if (!HeapTupleIsValid(spctuple))
2038
(errcode(ERRCODE_UNDEFINED_OBJECT),
2039
errmsg("tablespace with OID %u does not exist", spc_oid)));
2041
spcowner = ((Form_pg_tablespace) GETSTRUCT(spctuple))->spcowner;
2044
heap_close(pg_tablespace, AccessShareLock);
2046
return userid == spcowner;
2050
* Ownership check for an operator class (specified by OID).
2053
pg_opclass_ownercheck(Oid opc_oid, AclId userid)
2058
/* Superusers bypass all permission checking. */
2059
if (superuser_arg(userid))
2062
tuple = SearchSysCache(CLAOID,
2063
ObjectIdGetDatum(opc_oid),
2065
if (!HeapTupleIsValid(tuple))
2067
(errcode(ERRCODE_UNDEFINED_OBJECT),
2068
errmsg("operator class with OID %u does not exist",
2071
owner_id = ((Form_pg_opclass) GETSTRUCT(tuple))->opcowner;
2073
ReleaseSysCache(tuple);
2075
return userid == owner_id;
2079
* Ownership check for a database (specified by OID).
2082
pg_database_ownercheck(Oid db_oid, AclId userid)
2084
Relation pg_database;
2085
ScanKeyData entry[1];
2090
/* Superusers bypass all permission checking. */
2091
if (superuser_arg(userid))
2094
/* There's no syscache for pg_database, so must look the hard way */
2095
pg_database = heap_openr(DatabaseRelationName, AccessShareLock);
2096
ScanKeyInit(&entry[0],
2097
ObjectIdAttributeNumber,
2098
BTEqualStrategyNumber, F_OIDEQ,
2099
ObjectIdGetDatum(db_oid));
2100
scan = heap_beginscan(pg_database, SnapshotNow, 1, entry);
2102
dbtuple = heap_getnext(scan, ForwardScanDirection);
2104
if (!HeapTupleIsValid(dbtuple))
2106
(errcode(ERRCODE_UNDEFINED_DATABASE),
2107
errmsg("database with OID %u does not exist", db_oid)));
2109
dba = ((Form_pg_database) GETSTRUCT(dbtuple))->datdba;
2112
heap_close(pg_database, AccessShareLock);
2114
return userid == dba;
2118
* Ownership check for a conversion (specified by OID).
2121
pg_conversion_ownercheck(Oid conv_oid, AclId userid)
2126
/* Superusers bypass all permission checking. */
2127
if (superuser_arg(userid))
2130
tuple = SearchSysCache(CONOID,
2131
ObjectIdGetDatum(conv_oid),
2133
if (!HeapTupleIsValid(tuple))
2135
(errcode(ERRCODE_UNDEFINED_OBJECT),
2136
errmsg("conversion with OID %u does not exist", conv_oid)));
2138
owner_id = ((Form_pg_conversion) GETSTRUCT(tuple))->conowner;
2140
ReleaseSysCache(tuple);
2142
return userid == owner_id;