Add check for mdb_service_auth role

reshke · reshke · commit 64bc8da64891 · 2026-01-31T12:11:41.000Z
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
@@ -3392,7 +3392,7 @@ pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask,
 	 */
 	if (mask & ACL_SELECT && !(result & ACL_SELECT) &&
 		has_privs_of_role(roleid, mdb_read_all_data_oid) && 
-		!has_privs_of_unwanted_system_role(ownerId))
+		!has_privs_of_unwanted_system_role(ownerId, true))
 		result |= ACL_SELECT;
 
 	/*
@@ -3417,7 +3417,7 @@ pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask,
 	if (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE) &&
 		!(result & (ACL_INSERT | ACL_UPDATE | ACL_DELETE)) &&
 		has_privs_of_role(roleid, mdb_write_all_data_oid) &&
-		!has_privs_of_unwanted_system_role(ownerId))
+		!has_privs_of_unwanted_system_role(ownerId, true))
 		result |= (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE));
 
 	/*
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
@@ -5337,7 +5337,9 @@ has_privs_of_role_strict_no_cache(Oid member, Oid role)
 */
 
 bool
-has_privs_of_unwanted_system_role(Oid role) {
+has_privs_of_unwanted_system_role(Oid role, bool check_mdb_service_auth) {
+	Oid mdb_service_authoid;
+
 	if (has_privs_of_role_strict(role, ROLE_PG_READ_SERVER_FILES)) {
 		return true;
 	}
@@ -5354,6 +5356,14 @@ has_privs_of_unwanted_system_role(Oid role) {
 		return true;
 	}
 
+	if (check_mdb_service_auth) {
+		mdb_service_authoid = get_role_oid("mdb_service_auth", true);
+
+		if (has_privs_of_role_strict(role, mdb_service_authoid)) {
+			return true;
+		}
+	}
+
 	return false;
 }
 
@@ -5400,7 +5410,7 @@ has_privs_of_role(Oid member, Oid role)
 			* if target role is neither superuser nor
 			* some dangerous system role
 			*/
-			if (!has_privs_of_unwanted_system_role(role)) {
+			if (!has_privs_of_unwanted_system_role(role, true)) {
 				return true;
 			}
 		}
@@ -5455,7 +5465,7 @@ mdb_admin_allow_bypass_owner_checks(Oid userId,  Oid ownerId)
 	*/
 
 	/* All checks passed, hope will not be hacked here (again) */
-	return !has_privs_of_unwanted_system_role(ownerId);
+	return !has_privs_of_unwanted_system_role(ownerId, true);
 }
 
 // -- non-upstream patch end
@@ -5534,7 +5544,7 @@ check_mdb_admin_is_member_of_role(Oid member, Oid role)
 							GetUserNameFromId(role, false))));
 		}
 
-		if (has_privs_of_unwanted_system_role(role)) {			
+		if (has_privs_of_unwanted_system_role(role, true)) {			
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					errmsg("forbidden to transfer ownership to this system role in Cloud")));
@@ -5568,7 +5578,7 @@ bool mdb_admin_is_member_of_role(Oid member, Oid role) {
 		return false;
 	}
 
-	return !has_privs_of_unwanted_system_role(role);
+	return !has_privs_of_unwanted_system_role(role, true);
 }
 
 // -- mdb admin patch 
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
@@ -231,7 +231,7 @@ extern bool mdb_admin_is_member_of_role(Oid member, Oid role);
 extern Oid	select_best_admin(Oid member, Oid role);
 extern Oid	get_role_oid(const char *rolname, bool missing_ok);
 extern Oid	get_role_oid_or_public(const char *rolname);
-extern bool has_privs_of_unwanted_system_role(Oid role);
+extern bool has_privs_of_unwanted_system_role(Oid role, bool check_mdb_service_auth);
 extern Oid	get_rolespec_oid(const RoleSpec *role, bool missing_ok);
 extern void check_rolespec_name(const RoleSpec *role, const char *detail_msg);
 extern HeapTuple get_rolespec_tuple(const RoleSpec *role);

Original file line number	Diff line number	Diff line change
`@@ -5337,7 +5337,9 @@ has_privs_of_role_strict_no_cache(Oid member, Oid role)`
`5337`	`5337`	`*/`
`5338`	`5338`
`5339`	`5339`	`bool`
`5340`		`-has_privs_of_unwanted_system_role(Oid role) {`
	`5340`	`+has_privs_of_unwanted_system_role(Oid role, bool check_mdb_service_auth) {`
	`5341`	`+ Oid mdb_service_authoid;`
	`5342`	`+`
`5341`	`5343`	`if (has_privs_of_role_strict(role, ROLE_PG_READ_SERVER_FILES)) {`
`5342`	`5344`	`return true;`
`5343`	`5345`	`}`
`@@ -5354,6 +5356,14 @@ has_privs_of_unwanted_system_role(Oid role) {`
`5354`	`5356`	`return true;`
`5355`	`5357`	`}`
`5356`	`5358`
	`5359`	`+ if (check_mdb_service_auth) {`
	`5360`	`+ mdb_service_authoid = get_role_oid("mdb_service_auth", true);`
	`5361`	`+`
	`5362`	`+ if (has_privs_of_role_strict(role, mdb_service_authoid)) {`
	`5363`	`+ return true;`
	`5364`	`+ }`
	`5365`	`+ }`
	`5366`	`+`
`5357`	`5367`	`return false;`
`5358`	`5368`	`}`
`5359`	`5369`
`@@ -5400,7 +5410,7 @@ has_privs_of_role(Oid member, Oid role)`
`5400`	`5410`	`* if target role is neither superuser nor`
`5401`	`5411`	`* some dangerous system role`
`5402`	`5412`	`*/`
`5403`		`- if (!has_privs_of_unwanted_system_role(role)) {`
	`5413`	`+ if (!has_privs_of_unwanted_system_role(role, true)) {`
`5404`	`5414`	`return true;`
`5405`	`5415`	`}`
`5406`	`5416`	`}`
`@@ -5455,7 +5465,7 @@ mdb_admin_allow_bypass_owner_checks(Oid userId, Oid ownerId)`
`5455`	`5465`	`*/`
`5456`	`5466`
`5457`	`5467`	`/* All checks passed, hope will not be hacked here (again) */`
`5458`		`- return !has_privs_of_unwanted_system_role(ownerId);`
	`5468`	`+ return !has_privs_of_unwanted_system_role(ownerId, true);`
`5459`	`5469`	`}`
`5460`	`5470`
`5461`	`5471`	`// -- non-upstream patch end`
`@@ -5534,7 +5544,7 @@ check_mdb_admin_is_member_of_role(Oid member, Oid role)`
`5534`	`5544`	`GetUserNameFromId(role, false))));`
`5535`	`5545`	`}`
`5536`	`5546`
`5537`		`- if (has_privs_of_unwanted_system_role(role)) {`
	`5547`	`+ if (has_privs_of_unwanted_system_role(role, true)) {`
`5538`	`5548`	`ereport(ERROR,`
`5539`	`5549`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`5540`	`5550`	`errmsg("forbidden to transfer ownership to this system role in Cloud")));`
`@@ -5568,7 +5578,7 @@ bool mdb_admin_is_member_of_role(Oid member, Oid role) {`
`5568`	`5578`	`return false;`
`5569`	`5579`	`}`
`5570`	`5580`
`5571`		`- return !has_privs_of_unwanted_system_role(role);`
	`5581`	`+ return !has_privs_of_unwanted_system_role(role, true);`
`5572`	`5582`	`}`
`5573`	`5583`
`5574`	`5584`	`// -- mdb admin patch`