Participants
Tomas Vondra
Tomas Vondra
PG Bug reporting form
PG Bug reporting form
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1PG Bug reporting formPG Bug reporting form
Jul 16, 2018
#2Tomas VondraTomas Vondrato PG Bug reporting form (#1)
Jul 16, 2018
#3Tom LaneTom Laneto Tomas Vondra (#2)
Jul 16, 2018
#4Tomas VondraTomas Vondrato Tom Lane (#3)
Jul 16, 2018

BUG #15281: Set role does not affect superuser privleges

Started by PG Bug reporting formover 7 years ago4 messagesbugs
Jump to latest
#1PG Bug reporting form
PG Bug reporting form
noreply@postgresql.org

The following bug has been logged on the website:

Bug reference: 15281
Logged by: Michal Wozny
Email address: torcher999@gmail.com
PostgreSQL version: 10.4
Operating system: Windows Server 2012 R2
Description:

Here are the two scenarios I tested:

1) as a session_user: superuser and current_user: non-superuser I can edit
others' tables
2) as a session_user: non-superuser and current_user: superuser I cannot
edit others' tables

The documentation contradicts 1) explicitly, 2) implicitly:

"when a superuser chooses to SET ROLE to a non-superuser role, they lose
their superuser privileges."
Source: https://www.postgresql.org/docs/current/static/sql-set-role.html

Steps to reproduce:

Preconditions:
create two non-superusers [user1, user2]
create one superuser [user0]
grant user0 to user1
create a table [u2_tab] with owner user2

1)
disconnect
connect as user0
set role user1
rename u2_tab

expected: cannot rename u2_tab
actual: can rename u2_tab

2)
disconnect
connect as user1
set role user0
rename u2_tab

expected: can rename u2_tab
actual: cannot rename u2_tab

SQL steps:

Preconditions:
CREATE USER user0 WITH SUPERUSER
CREATE USER user1
GRANT user0 to user1
CREATE USER user2
CREATE TABLE public.u2_tab
ALTER TABLE public.u2_tab OWNER TO user2

1)
DISCONNECT
CONNECT TO db AS user0
SET ROLE user1
ALTER TABLE public.u2_tab RENAME TO u2_tab1

2)
DISCONNECT
CONNECT TO db AS user1
SET ROLE user0
ALTER TABLE public.u2_tab1 RENAME TO u2_tab2

#2Tomas Vondra
Tomas Vondra
tomas.vondra@2ndquadrant.com
In reply to: PG Bug reporting form (#1)
Re: BUG #15281: Set role does not affect superuser privleges

On 07/16/2018 04:55 PM, PG Bug reporting form wrote:

The following bug has been logged on the website:

Bug reference: 15281
Logged by: Michal Wozny
Email address: torcher999@gmail.com
PostgreSQL version: 10.4
Operating system: Windows Server 2012 R2
Description:

Here are the two scenarios I tested:

1) as a session_user: superuser and current_user: non-superuser I can edit
others' tables
2) as a session_user: non-superuser and current_user: superuser I cannot
edit others' tables

The documentation contradicts 1) explicitly, 2) implicitly:

"when a superuser chooses to SET ROLE to a non-superuser role, they lose
their superuser privileges."
Source: https://www.postgresql.org/docs/current/static/sql-set-role.html

Steps to reproduce:

Preconditions:
create two non-superusers [user1, user2]
create one superuser [user0]
grant user0 to user1
create a table [u2_tab] with owner user2

1)
disconnect
connect as user0
set role user1
rename u2_tab

expected: cannot rename u2_tab
actual: can rename u2_tab

2)
disconnect
connect as user1
set role user0
rename u2_tab

expected: can rename u2_tab
actual: cannot rename u2_tab

SQL steps:

Preconditions:
CREATE USER user0 WITH SUPERUSER
CREATE USER user1
GRANT user0 to user1
CREATE USER user2
CREATE TABLE public.u2_tab
ALTER TABLE public.u2_tab OWNER TO user2

1)
DISCONNECT
CONNECT TO db AS user0
SET ROLE user1
ALTER TABLE public.u2_tab RENAME TO u2_tab1

2)
DISCONNECT
CONNECT TO db AS user1
SET ROLE user0
ALTER TABLE public.u2_tab1 RENAME TO u2_tab2

It's usually a good idea to provide exact scripts / output so that
people can reproduce the issue easily. For me it behaves like this:

1) non-superuser

test=# drop table u2_tab ;
DROP TABLE
test=# drop role user1;
DROP ROLE
test=# drop role user2;
DROP ROLE
test=# drop role user0;
DROP ROLE
test=# CREATE USER user0 WITH SUPERUSER;
CREATE ROLE
test=# CREATE USER user1;
CREATE ROLE
test=# CREATE USER user2;
CREATE ROLE
test=# CREATE TABLE public.u2_tab();
CREATE TABLE
test=# ALTER TABLE public.u2_tab OWNER TO user2;
ALTER TABLE
test=# \c - user0
You are now connected to database "test" as user "user0".
test=# SET ROLE user1;
SET
test=> ALTER TABLE public.u2_tab RENAME TO u2_tab1;
ERROR: must be owner of table u2_tab

2) superuser

test=# drop table u2_tab ;
DROP TABLE
test=# drop role user0;
DROP ROLE
test=# drop role user1;
DROP ROLE
test=# drop role user2;
DROP ROLE
test=#
test=#
test=#
test=#
test=# CREATE USER user0 WITH SUPERUSER;
CREATE ROLE
test=# CREATE USER user1;
CREATE ROLE
test=# CREATE USER user2;
CREATE ROLE
test=# CREATE TABLE public.u2_tab();
CREATE TABLE
test=# ALTER TABLE public.u2_tab OWNER TO user2;
ALTER TABLE
test=# \c - user0
You are now connected to database "test" as user "user0".
test=# ALTER TABLE public.u2_tab RENAME TO u2_tab1;
ALTER TABLE

So, correct in both cases. I'm not on Windows, but I don't see why would
it behave differently there.

regards

--
Tomas Vondra http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Tomas Vondra (#2)
Re: BUG #15281: Set role does not affect superuser privleges

Tomas Vondra <tomas.vondra@2ndquadrant.com> writes:

On 07/16/2018 04:55 PM, PG Bug reporting form wrote:

Here are the two scenarios I tested:
1) as a session_user: superuser and current_user: non-superuser I can edit
others' tables
2) as a session_user: non-superuser and current_user: superuser I cannot
edit others' tables

It's usually a good idea to provide exact scripts / output so that
people can reproduce the issue easily. For me it behaves like this:
...
So, correct in both cases. I'm not on Windows, but I don't see why would
it behave differently there.

Tomas' test left out the "GRANT user0 to user1" bit, but I can't
reproduce the behavior as described either.

regards, tom lane

#4Tomas Vondra
Tomas Vondra
tomas.vondra@2ndquadrant.com
In reply to: Tom Lane (#3)
Re: BUG #15281: Set role does not affect superuser privleges

On 07/17/2018 12:12 AM, Tom Lane wrote:

Tomas Vondra <tomas.vondra@2ndquadrant.com> writes:

On 07/16/2018 04:55 PM, PG Bug reporting form wrote:

Here are the two scenarios I tested:
1) as a session_user: superuser and current_user: non-superuser I can edit
others' tables
2) as a session_user: non-superuser and current_user: superuser I cannot
edit others' tables

It's usually a good idea to provide exact scripts / output so that
people can reproduce the issue easily. For me it behaves like this:
...
So, correct in both cases. I'm not on Windows, but I don't see why would
it behave differently there.

Tomas' test left out the "GRANT user0 to user1" bit, but I can't
reproduce the behavior as described either.

Ah, right. Sorry for not mentioning that.

I've actually tried both with and without that GRANT (no effect on
behavior), but I've assumed it's there only to allow the `SET user0`
which I've replaced by connecting directly as user0. So I haven't
included it into the response.

regards

--
Tomas Vondra http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

← Back to Topics