diff options
| author | Noah Misch <noah@leadboat.com> | 2015-09-20 20:45:41 -0400 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2015-09-20 20:45:41 -0400 |
| commit | 537bd178c73b1d25938347b17e9e3e62898fc231 (patch) | |
| tree | ca5e94272fa4d90eec34454c83ab31d8921b8378 /src/backend/utils/misc/guc.c | |
| parent | 8346218c029dc0db425e3bea20033f96e1543df9 (diff) | |
Remove the row_security=force GUC value.
Every query of a single ENABLE ROW SECURITY table has two meanings, with
the row_security GUC selecting between them. With row_security=force
available, every function author would have been advised to either set
the GUC locally or test both meanings. Non-compliance would have
threatened reliability and, for SECURITY DEFINER functions, security.
Authors already face an obligation to account for search_path, and we
should not mimic that example. With this change, only BYPASSRLS roles
need exercise the aforementioned care. Back-patch to 9.5, where the
row_security GUC was introduced.
Since this narrows the domain of pg_db_role_setting.setconfig and
pg_proc.proconfig, one might bump catversion. A row_security=force
setting in one of those columns will elicit a clear message, so don't.
Diffstat (limited to 'src/backend/utils/misc/guc.c')
| -rw-r--r-- | src/backend/utils/misc/guc.c | 39 |
1 files changed, 10 insertions, 29 deletions
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 8ebf4246b8e..fcba3c59d03 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -380,23 +380,6 @@ static const struct config_enum_entry huge_pages_options[] = { }; /* - * Although only "on", "off", and "force" are documented, we - * accept all the likely variants of "on" and "off". - */ -static const struct config_enum_entry row_security_options[] = { - {"on", ROW_SECURITY_ON, false}, - {"off", ROW_SECURITY_OFF, false}, - {"force", ROW_SECURITY_FORCE, false}, - {"true", ROW_SECURITY_ON, true}, - {"false", ROW_SECURITY_OFF, true}, - {"yes", ROW_SECURITY_ON, true}, - {"no", ROW_SECURITY_OFF, true}, - {"1", ROW_SECURITY_ON, true}, - {"0", ROW_SECURITY_OFF, true}, - {NULL, 0, false} -}; - -/* * Options for enum values stored in other modules */ extern const struct config_enum_entry wal_level_options[]; @@ -421,6 +404,7 @@ bool log_statement_stats = false; /* this is sort of all three bool log_btree_build_stats = false; char *event_source; +bool row_security; bool check_function_bodies = true; bool default_with_oids = false; bool SQL_inheritance = true; @@ -452,8 +436,6 @@ int tcp_keepalives_idle; int tcp_keepalives_interval; int tcp_keepalives_count; -int row_security; - /* * This really belongs in pg_shmem.c, but is defined here so that it doesn't * need to be duplicated in all the different implementations of pg_shmem.c. @@ -1374,6 +1356,15 @@ static struct config_bool ConfigureNamesBool[] = check_transaction_deferrable, NULL, NULL }, { + {"row_security", PGC_USERSET, CONN_AUTH_SECURITY, + gettext_noop("Enable row security."), + gettext_noop("When enabled, row security will be applied to all users.") + }, + &row_security, + true, + NULL, NULL, NULL + }, + { {"check_function_bodies", PGC_USERSET, CLIENT_CONN_STATEMENT, gettext_noop("Check function bodies during CREATE FUNCTION."), NULL @@ -3630,16 +3621,6 @@ static struct config_enum ConfigureNamesEnum[] = NULL, NULL, NULL }, - { - {"row_security", PGC_USERSET, CONN_AUTH_SECURITY, - gettext_noop("Enable row security."), - gettext_noop("When enabled, row security will be applied to all users.") - }, - &row_security, - ROW_SECURITY_ON, row_security_options, - NULL, NULL, NULL - }, - /* End-of-list marker */ { {NULL, 0, 0, NULL, NULL}, NULL, 0, NULL, NULL, NULL, NULL |