Add new USERLIMIT GUC source level so certain options can be disabled

or increased only by super-users. This fixes problems caused by making certain variables SUSET for security reasons.

Add new USERLIMIT GUC source level so certain options can be disabled
or increased only by super-users. This fixes problems caused by making certain variables SUSET for security reasons.
bf889e64 · Bruce Momjian · 6896bfa8 · bf889e64 · bf889e64 · bf889e64
Commit bf889e64 authored Jul 09, 2003 by Bruce Momjian
4 changed files
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.190 2003/07/04 16:41:21 tgl Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.191 2003/07/09 06:47:34 momjian Exp $
 -->

 <Chapter Id="runtime">
@@ -1541,6 +1541,7 @@ SET ENABLE_SEQSCAN TO OFF;
        to the log.  The default is <literal>NOTICE</>.  Note that
        <literal>LOG</> has a different rank here than in
        <literal>CLIENT_MIN_MESSAGES</>.
+        Only superusers can increase this option.
       </para>
      </listitem>
     </varlistentry>
@@ -1576,6 +1577,7 @@ SET ENABLE_SEQSCAN TO OFF;
        SQL statements causing errors, fatal errors, or panics will be
        logged. Enabling this option can be helpful in tracking down
        the source of any errors that appear in the server log.
+        Only superusers can increase this option.
       </para>
      </listitem>
     </varlistentry>
@@ -1593,6 +1595,8 @@ SET ENABLE_SEQSCAN TO OFF;
         than 250ms will be logged.  Enabling this
         option can be useful in tracking down unoptimized queries in
         your applications.
+         Only superusers can increase this option if it is set to
+         non-zero by the administrator.
        </para>
       </listitem>
      </varlistentry>
@@ -1743,6 +1747,8 @@ SET ENABLE_SEQSCAN TO OFF;
        To use this option, enable <varname>LOG_STATEMENT</> and
        <varname>LOG_PID</> so you can link the statement to the
        duration using the process ID.
+        Only superusers can turn off this option if it is enabled by
+        the administrator.
       </para>
      </listitem>
     </varlistentry>
@@ -1765,6 +1771,8 @@ SET ENABLE_SEQSCAN TO OFF;
      <listitem>
       <para>
        Causes each SQL statement to be logged.
+        Only superusers can turn off this option if it is enabled by
+        the administrator.
       </para>
      </listitem>
     </varlistentry>
@@ -1826,6 +1834,8 @@ SET ENABLE_SEQSCAN TO OFF;
        For each query, write performance statistics of the respective
        module to the server log. This is a crude profiling
        instrument.
+        Only superusers can turn off this option if it is enabled by
+        the administrator.
       </para>
      </listitem>
     </varlistentry>

--- a/src/backend/tcop/postgres.c
+++ b/src/backend/tcop/postgres.c
@@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/tcop/postgres.c,v 1.349 2003/07/04 16:41:21 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/tcop/postgres.c,v 1.350 2003/07/09 06:47:34 momjian Exp $
 *
 * NOTES
 *	  this is the "main" module of the postgres backend and
@@ -1943,7 +1943,7 @@ PostgresMain(int argc, char *argv[], const char *username)
 	bool		secure;
 	int			errs = 0;
 	int			debug_flag = 0;
-	GucContext	ctx;
+	GucContext	ctx, debug_context;
 	GucSource	gucsource;
 	char	   *tmp;
 	int			firstchar;
@@ -2018,7 +2018,7 @@ PostgresMain(int argc, char *argv[], const char *username)

 	/* all options are allowed until '-p' */
 	secure = true;
-	ctx = PGC_POSTMASTER;
+	ctx = debug_context = PGC_POSTMASTER;
 	gucsource = PGC_S_ARGV;		/* initial switches came from command line */

 	while ((flag = getopt(argc, argv, "A:B:c:CD:d:Eef:FiNOPo:p:S:st:v:W:x:-:")) != -1)
@@ -2054,10 +2054,18 @@ PostgresMain(int argc, char *argv[], const char *username)
 				break;

 			case 'd':			/* debug level */
+				{
+					/*
+					 *	Client option can't decrease debug level.
+					 *	We have to do the test here because we group priv and client
+					 *	set GUC calls below, after we know the final debug value.
+					 */					   
+					if (ctx != PGC_BACKEND || atoi(optarg) > debug_flag)
 					{
 						debug_flag = atoi(optarg);
+						debug_context = ctx;	/* save context for use below */
 						/* Set server debugging level. */
-					if (atoi(optarg) != 0)
+						if (debug_flag != 0)
 						{
 							char	   *debugstr = palloc(strlen("debug") + strlen(optarg) + 1);
 	
@@ -2075,6 +2083,7 @@ PostgresMain(int argc, char *argv[], const char *username)
 							SetConfigOption("log_min_messages", "notice",
 											ctx, gucsource);
 					}
+				}
 				break;

 			case 'E':
@@ -2323,20 +2332,19 @@ PostgresMain(int argc, char *argv[], const char *username)


 	/*
-	 * -d is not the same as setting
-	 * log_min_messages because it enables other
-	 * output options.
+	 * -d is not the same as setting log_min_messages because it enables
+	 * other output options.
 	 */
 	if (debug_flag >= 1)
-		SetConfigOption("log_connections", "true", ctx, gucsource);
+		SetConfigOption("log_connections", "true", debug_context, gucsource);
 	if (debug_flag >= 2)
-		SetConfigOption("log_statement", "true", ctx, gucsource);
+		SetConfigOption("log_statement", "true", debug_context, gucsource);
 	if (debug_flag >= 3)
-		SetConfigOption("debug_print_parse", "true", ctx, gucsource);
+		SetConfigOption("debug_print_parse", "true", debug_context, gucsource);
 	if (debug_flag >= 4)
-		SetConfigOption("debug_print_plan", "true", ctx, gucsource);
+		SetConfigOption("debug_print_plan", "true", debug_context, gucsource);
 	if (debug_flag >= 5)
-		SetConfigOption("debug_print_rewritten", "true", ctx, gucsource);
+		SetConfigOption("debug_print_rewritten", "true", debug_context, gucsource);

 	/*
 	 * Process any additional GUC variable settings passed in startup packet.
@@ -2548,7 +2556,7 @@ PostgresMain(int argc, char *argv[], const char *username)
 	if (!IsUnderPostmaster)
 	{
 		puts("\nPOSTGRES backend interactive interface ");
-		puts("$Revision: 1.349 $ $Date: 2003/07/04 16:41:21 $\n");
+		puts("$Revision: 1.350 $ $Date: 2003/07/09 06:47:34 $\n");
 	}

 	/*

--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
 * Written by Peter Eisentraut <peter_e@gmx.net>.
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.134 2003/07/04 16:41:21 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.135 2003/07/09 06:47:34 momjian Exp $
 *
 *--------------------------------------------------------------------
 */
@@ -449,7 +449,7 @@ static struct config_bool ConfigureNamesBool[] =
 		false, NULL, NULL
 	},
 	{
-		{"log_statement", PGC_SUSET, LOGGING_WHAT,
+		{"log_statement", PGC_USERLIMIT, LOGGING_WHAT,
 			gettext_noop("Causes each SQL statement to be logged"),
 			NULL
 		},
@@ -457,7 +457,7 @@ static struct config_bool ConfigureNamesBool[] =
 		false, NULL, NULL
 	},
 	{
-		{"log_duration", PGC_SUSET, LOGGING_WHAT,
+		{"log_duration", PGC_USERLIMIT, LOGGING_WHAT,
 			gettext_noop("Duration of every completed statement is logged"),
 			NULL
 		},
@@ -497,7 +497,7 @@ static struct config_bool ConfigureNamesBool[] =
 		false, NULL, NULL
 	},
 	{
-		{"log_parser_stats", PGC_SUSET, STATS_MONITORING,
+		{"log_parser_stats", PGC_USERLIMIT, STATS_MONITORING,
 			gettext_noop("Write parser performance stats to server log"),
 			NULL
 		},
@@ -505,7 +505,7 @@ static struct config_bool ConfigureNamesBool[] =
 		false, NULL, NULL
 	},
 	{
-		{"log_planner_stats", PGC_SUSET, STATS_MONITORING,
+		{"log_planner_stats", PGC_USERLIMIT, STATS_MONITORING,
 			gettext_noop("Write planner performance stats to server log"),
 			NULL
 		},
@@ -513,7 +513,7 @@ static struct config_bool ConfigureNamesBool[] =
 		false, NULL, NULL
 	},
 	{
-		{"log_executor_stats", PGC_SUSET, STATS_MONITORING,
+		{"log_executor_stats", PGC_USERLIMIT, STATS_MONITORING,
 			gettext_noop("Write executor performance stats to server log"),
 			NULL
 		},
@@ -521,7 +521,7 @@ static struct config_bool ConfigureNamesBool[] =
 		false, NULL, NULL
 	},
 	{
-		{"log_statement_stats", PGC_SUSET, STATS_MONITORING,
+		{"log_statement_stats", PGC_USERLIMIT, STATS_MONITORING,
 			gettext_noop("Write statement performance stats to server log"),
 			NULL
 		},
@@ -1107,7 +1107,7 @@ static struct config_int ConfigureNamesInt[] =
 	},

 	{
-		{"log_min_duration_statement", PGC_SUSET, LOGGING_WHEN,
+		{"log_min_duration_statement", PGC_USERLIMIT, LOGGING_WHEN,
 			gettext_noop("Min execution time (msec) above which statements will "
 						 "be logged"),
 			gettext_noop("The default is 0 (turning this feature off).")
@@ -1228,7 +1228,7 @@ static struct config_string ConfigureNamesString[] =
 	},

 	{
-		{"log_min_messages", PGC_SUSET, LOGGING_WHEN,
+		{"log_min_messages", PGC_USERLIMIT, LOGGING_WHEN,
 			gettext_noop("Controls which message levels logged"),
 			gettext_noop("Valid values are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, "
 						 "INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each level "
@@ -1248,7 +1248,7 @@ static struct config_string ConfigureNamesString[] =
 	},

 	{
-		{"log_min_error_statement", PGC_SUSET, LOGGING_WHEN,
+		{"log_min_error_statement", PGC_USERLIMIT, LOGGING_WHEN,
 			gettext_noop("Controls whether the erroneous statement is logged"),
 			gettext_noop("All SQL statements that cause an error of the "
 						 "specified level, or a higher level, are logged")
@@ -1714,6 +1714,9 @@ InitializeGUCOptions(void)

 					Assert(conf->reset_val >= conf->min);
 					Assert(conf->reset_val <= conf->max);
+					/* Check to make sure we only have valid PGC_USERLIMITs */
+					Assert(conf->gen.context != PGC_USERLIMIT ||
+						   strcmp(conf->gen.name, "log_min_duration_statement") == 0);
 					if (conf->assign_hook)
 						if (!(*conf->assign_hook) (conf->reset_val, true, false))
 							fprintf(stderr, "Failed to initialize %s to %d\n",
@@ -1728,6 +1731,7 @@ InitializeGUCOptions(void)

 					Assert(conf->reset_val >= conf->min);
 					Assert(conf->reset_val <= conf->max);
+					Assert(conf->gen.context != PGC_USERLIMIT);
 					if (conf->assign_hook)
 						if (!(*conf->assign_hook) (conf->reset_val, true, false))
 							fprintf(stderr, "Failed to initialize %s to %g\n",
@@ -1741,6 +1745,11 @@ InitializeGUCOptions(void)
 					struct config_string *conf = (struct config_string *) gconf;
 					char	   *str;

+					/* Check to make sure we only have valid PGC_USERLIMITs */
+					Assert(conf->gen.context != PGC_USERLIMIT ||
+						   conf->assign_hook == assign_log_min_messages ||
+						   conf->assign_hook == assign_client_min_messages ||
+						   conf->assign_hook == assign_min_error_statement);
 					*conf->variable = NULL;
 					conf->reset_val = NULL;
 					conf->session_val = NULL;
@@ -1837,7 +1846,9 @@ ResetAllOptions(void)
 		struct config_generic *gconf = guc_variables[i];

 		/* Don't reset non-SET-able values */
-		if (gconf->context != PGC_SUSET && gconf->context != PGC_USERSET)
+		if (gconf->context != PGC_SUSET &&
+			gconf->context != PGC_USERLIMIT &&
+			gconf->context != PGC_USERSET)
 			continue;
 		/* Don't reset if special exclusion from RESET ALL */
 		if (gconf->flags & GUC_NO_RESET_ALL)
@@ -2286,6 +2297,7 @@ set_config_option(const char *name, const char *value,
 	int			elevel;
 	bool		interactive;
 	bool		makeDefault;
+	bool		DoIt_orig;

 	if (context == PGC_SIGHUP || source == PGC_S_DEFAULT)
 		elevel = DEBUG2;
@@ -2371,6 +2383,7 @@ set_config_option(const char *name, const char *value,
 				return false;
 			}
 			break;
+		case PGC_USERLIMIT:	/* USERLIMIT permissions checked below */
 		case PGC_USERSET:
 			/* always okay */
 			break;
@@ -2393,6 +2406,7 @@ set_config_option(const char *name, const char *value,
 	 * to set the reset/session values even if we can't set the variable
 	 * itself.
 	 */
+	DoIt_orig = DoIt;	/* we might have to reverse this later */
 	if (record->source > source)
 	{
 		if (DoIt && !makeDefault)
@@ -2422,6 +2436,24 @@ set_config_option(const char *name, const char *value,
 							 name);
 						return false;
 					}
+					/* Limit non-super user changes */
+					if (record->context == PGC_USERLIMIT &&
+						source > PGC_S_USERSTART &&
+						newval < conf->session_val &&
+						!superuser())
+					{
+						elog(elevel, "'%s': permission denied\n"
+								"Only super-users can set this value to false.",
+								name);
+						return false;
+					}
+					/* Allow admin to override non-super user setting */
+					if (record->context == PGC_USERLIMIT &&
+						source < PGC_S_USERSTART &&
+						record->session_source > PGC_S_USERSTART &&
+						newval > conf->session_val &&
+						!superuser())
+							DoIt = DoIt_orig;
 				}
 				else
 				{
@@ -2493,6 +2525,25 @@ set_config_option(const char *name, const char *value,
 							 name, newval, conf->min, conf->max);
 						return false;
 					}
+					/* Limit non-super user changes */
+					if (record->context == PGC_USERLIMIT &&
+						source > PGC_S_USERSTART &&
+						conf->session_val != 0 &&
+						newval > conf->session_val &&
+						!superuser())
+					{
+						elog(elevel, "'%s': permission denied\n"
+								"Only super-users can increase this value.",
+								name);
+						return false;
+					}
+					/* Allow admin to override non-super user setting */
+					if (record->context == PGC_USERLIMIT &&
+						source < PGC_S_USERSTART &&
+						record->session_source > PGC_S_USERSTART &&
+						newval < conf->session_val &&
+						!superuser())
+							DoIt = DoIt_orig;
 				}
 				else
 				{
@@ -2564,6 +2615,24 @@ set_config_option(const char *name, const char *value,
 							 name, newval, conf->min, conf->max);
 						return false;
 					}
+					/* Limit non-super user changes */
+					if (record->context == PGC_USERLIMIT &&
+						source > PGC_S_USERSTART &&
+						newval > conf->session_val &&
+						!superuser())
+					{
+						elog(elevel, "'%s': permission denied\n"
+								"Only super-users can increase this value.",
+								name);
+						return false;
+					}
+					/* Allow admin to override non-super user setting */
+					if (record->context == PGC_USERLIMIT &&
+						source < PGC_S_USERSTART &&
+						record->session_source > PGC_S_USERSTART &&
+						newval < conf->session_val &&
+						!superuser())
+							DoIt = DoIt_orig;
 				}
 				else
 				{
@@ -2628,6 +2697,32 @@ set_config_option(const char *name, const char *value,
 						elog(elevel, "out of memory");
 						return false;
 					}
+
+					if (*conf->variable)
+					{
+						int old_int_value, new_int_value;
+
+						/* Limit non-super user changes */
+						assign_msglvl(&old_int_value, conf->reset_val, true, interactive);
+						assign_msglvl(&new_int_value, newval, true, interactive);
+						if (record->context == PGC_USERLIMIT &&
+							source > PGC_S_USERSTART &&
+							new_int_value > old_int_value &&
+							!superuser())
+						{
+							elog(elevel, "'%s': permission denied\n"
+										"Only super-users can increase this value.",
+										name);
+							return false;
+						}
+						/* Allow admin to override non-super user setting */
+						if (record->context == PGC_USERLIMIT &&
+							source < PGC_S_USERSTART &&
+							record->session_source > PGC_S_USERSTART &&
+							newval < conf->session_val &&
+							!superuser())
+								DoIt = DoIt_orig;
+						}
 				}
 				else if (conf->reset_val)
 				{

--- a/src/include/utils/guc.h
+++ b/src/include/utils/guc.h
@@ -7,7 +7,7 @@
 * Copyright 2000-2003 by PostgreSQL Global Development Group
 * Written by Peter Eisentraut <peter_e@gmx.net>.
 *
- * $Id: guc.h,v 1.32 2003/06/11 18:01:14 momjian Exp $
+ * $Id: guc.h,v 1.33 2003/07/09 06:47:34 momjian Exp $
 *--------------------------------------------------------------------
 */
 #ifndef GUC_H
@@ -48,6 +48,9 @@
 * be set in the connection startup packet, because when it is processed
 * we don't yet know if the user is a superuser.
 *
+ * USERLIMIT options can only be manipulated in certain ways by
+ * non-super users.
+ *
 * USERSET options can be set by anyone any time.
 */
 typedef enum
@@ -57,6 +60,7 @@ typedef enum
 	PGC_SIGHUP,
 	PGC_BACKEND,
 	PGC_SUSET,
+	PGC_USERLIMIT,
 	PGC_USERSET
 } GucContext;

@@ -76,11 +80,16 @@ typedef enum
 	PGC_S_ENV_VAR = 1,			/* postmaster environment variable */
 	PGC_S_FILE = 2,				/* postgresql.conf */
 	PGC_S_ARGV = 3,				/* postmaster command line */
-	PGC_S_DATABASE = 4,			/* per-database setting */
-	PGC_S_USER = 5,				/* per-user setting */
-	PGC_S_CLIENT = 6,			/* from client connection request */
-	PGC_S_OVERRIDE = 7,			/* special case to forcibly set default */
-	PGC_S_SESSION = 8			/* SET command */
+	PGC_S_USERSTART=4,			/*
+								 *	Settings below are controlled by users.
+								 *	This is used by PGC_USERLIMT to prevent
+								 *	non-super users from changing certain settings.
+								 */
+	PGC_S_DATABASE = 5,			/* per-database setting */
+	PGC_S_USER = 6,				/* per-user setting */
+	PGC_S_CLIENT = 7,			/* from client connection request */
+	PGC_S_OVERRIDE = 8,			/* special case to forcibly set default */
+	PGC_S_SESSION = 9			/* SET command */
 } GucSource;