Обсуждение: Re: [BUGS] 7.4 beta 1: SET log_statement=false
[ Moved to hackers.] Tom Lane wrote: > Bertrand Petit <pgsql-bugs@phoe.frmug.org> writes: > > Non superusers can set log_statement to true but can't set it > > back to false even if log_statement was false at the begining of a > > connection. > > Yeah. I think that the restrictions for USERLIMIT variables ought to > compare against the reset_val, not the session_val. I wish reset_val would fix it. This is the code being used: /* Limit non-superuser changes */ if (record->context == PGC_USERLIMIT && source > PGC_S_UNPRIVILEGED && newval< conf->session_val && !superuser()) { ereport(elevel, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("permission denied to set option \"%s\"", name), errhint("Must be superuser to change this valueto false."))); return false; } It basically says: o is this a USERLIMIT variable (restrict non-super users)o is the new value being set in a user-accessible way o is the valuebeing set to true from falseo is this person not a super-user I tried adding this line: record->session_source < PGC_S_UNPRIVILEGED && and it does allow you to set the variable to false if you have set it to true in your session, but it also allows you to set it to false if it is set to true in postgresql.conf. You do this by setting it to 'true' _then_ to 'false' in your session. The reason this works is that there is no history in the GUC code to record the value this variable was set at various locations. Once you set it to 'true' in your session, the system remembers that, and forgets it was also set to true in postgresql.conf, and therefore allows you to set it to false. The documentation is vague on this point. It says: Only superusers can turn off this option if it is enabled by the administrator. I think I should remove the part about administrators, and just say: Only superusers can turn off this option. or is that worse? The administrator part makes it clear why you shouldn't be able to set it to false. Peter, do you have any ideas on this? -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073
Bruce Momjian <pgman@candle.pha.pa.us> writes: > /* Limit non-superuser changes */ > if (record->context == PGC_USERLIMIT && > source > PGC_S_UNPRIVILEGED && > newval < conf->session_val && ^^^^^^^^^^^ I had in mind s/session_val/reset_val/ right here. Why wouldn't that work? regards, tom lane
Tom Lane wrote: > Bruce Momjian <pgman@candle.pha.pa.us> writes: > > /* Limit non-superuser changes */ > > if (record->context == PGC_USERLIMIT && > > source > PGC_S_UNPRIVILEGED && > > newval < conf->session_val && > ^^^^^^^^^^^ > > I had in mind s/session_val/reset_val/ right here. Why wouldn't that > work? Yes, I have been thinking of that. The big question is whether a non-super user can control the reset value? I don't know the answer, so I didn't take the chance. Does anyone know? I assume Peter does and was hoping for his help on this before we go 7.4 final. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073
On Wed, Aug 13, 2003 at 06:05:46PM -0400, Bruce Momjian wrote: > I tried adding this line: > > record->session_source < PGC_S_UNPRIVILEGED && > > and it does allow you to set the variable to false if you have set it to > true in your session, but it also allows you to set it to false if it is > set to true in postgresql.conf. You do this by setting it to 'true' > _then_ to 'false' in your session. The reason this works is that there > is no history in the GUC code to record the value this variable was set > at various locations. Once you set it to 'true' in your session, the > system remembers that, and forgets it was also set to true in > postgresql.conf, and therefore allows you to set it to false. The following describes what I would do if I had the controls on the postgres source code: I would put the lambda-user protected configuration parameters under the control of a system similar to what is used for the {get|set}rlimit system calls. At the begining of a session, a snapshot of the parameters is taken, it is kept appart from the live parameters. The snapshot would be used by the parameters controller to permit or deny a parameter change depending on the snaphot value, the current value, the desired new value and a set of rules. A rule could express things like theses: * boolean values: * deny change if the new value would transition from true to false and the snapshot value is true; * allow change if the new value would transition from true to false and the snapshot value is false; * and any the the negation and/or inverse of both of these rules. * numerical values: * deny the change if the new value would be less than the snapshot value and the current value is larger than thesnapshot value; * deny the change if the new value would be greater than the snapshot value and the current value is less than thesnapshot value; * new textual values would be matched against a set of acceptable or unacceptable user values, the status returned bythe countroller would be according the matched set. A scheme like this would allow a tolerance from the user point of view while fixing limits on what can be done by non-superuser accounts. It could also be interesting to tie the parameters set to transactions: parameters changed while inside a transaction could be reset to their default or pre-transactions values on a commit or rollback. This could look like the behavior of the save/restore postscript operators. Regards. -- %!PS 297.6 420.9 translate 90 rotate 0 setgray gsave 0 1 1{pop 0 180 moveto 100 180 170 100 170 -10 curveto 180 -9 180 -9 190 -10 curveto 190 100 100 180 0 180 curveto fill 180 rotate}for grestore/Bookman-LightItalic findfont 240 scalefont setfont -151.536392 -63.7998886 moveto (bp)show showpage
Bruce Momjian <pgman@candle.pha.pa.us> writes: > Yes, I have been thinking of that. The big question is whether a > non-super user can control the reset value? He could (via PGOPTIONS) ... but since he can only increase it, there is nothing to fear. regards, tom lane