2003-03-18 23:19:47 +01:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
*
|
|
|
|
* dropuser
|
|
|
|
*
|
2019-01-02 18:44:25 +01:00
|
|
|
* Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
|
2003-03-18 23:19:47 +01:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
|
|
*
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/bin/scripts/dropuser.c
|
2003-03-18 23:19:47 +01:00
|
|
|
*
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "postgres_fe.h"
|
|
|
|
#include "common.h"
|
2016-03-24 20:55:44 +01:00
|
|
|
#include "fe_utils/string_utils.h"
|
2003-03-18 23:19:47 +01:00
|
|
|
|
|
|
|
|
|
|
|
static void help(const char *progname);
|
|
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
main(int argc, char *argv[])
|
|
|
|
{
|
2011-08-30 18:06:40 +02:00
|
|
|
static int if_exists = 0;
|
|
|
|
|
2003-03-18 23:19:47 +01:00
|
|
|
static struct option long_options[] = {
|
|
|
|
{"host", required_argument, NULL, 'h'},
|
|
|
|
{"port", required_argument, NULL, 'p'},
|
|
|
|
{"username", required_argument, NULL, 'U'},
|
2009-02-26 17:02:39 +01:00
|
|
|
{"no-password", no_argument, NULL, 'w'},
|
2003-03-18 23:19:47 +01:00
|
|
|
{"password", no_argument, NULL, 'W'},
|
|
|
|
{"echo", no_argument, NULL, 'e'},
|
|
|
|
{"interactive", no_argument, NULL, 'i'},
|
2011-08-30 18:06:40 +02:00
|
|
|
{"if-exists", no_argument, &if_exists, 1},
|
2003-03-18 23:19:47 +01:00
|
|
|
{NULL, 0, NULL, 0}
|
|
|
|
};
|
|
|
|
|
2004-05-12 15:38:49 +02:00
|
|
|
const char *progname;
|
2003-03-18 23:19:47 +01:00
|
|
|
int optindex;
|
|
|
|
int c;
|
|
|
|
|
|
|
|
char *dropuser = NULL;
|
|
|
|
char *host = NULL;
|
|
|
|
char *port = NULL;
|
|
|
|
char *username = NULL;
|
2009-02-26 17:02:39 +01:00
|
|
|
enum trivalue prompt_password = TRI_DEFAULT;
|
2003-03-18 23:19:47 +01:00
|
|
|
bool echo = false;
|
|
|
|
bool interactive = false;
|
Simplify correct use of simple_prompt().
The previous API for this function had it returning a malloc'd string.
That meant that callers had to check for NULL return, which few of them
were doing, and it also meant that callers had to remember to free()
the string later, which required extra logic in most cases.
Instead, make simple_prompt() write into a buffer supplied by the caller.
Anywhere that the maximum required input length is reasonably small,
which is almost all of the callers, we can just use a local or static
array as the buffer instead of dealing with malloc/free.
A fair number of callers used "pointer == NULL" as a proxy for "haven't
requested the password yet". Maintaining the same behavior requires
adding a separate boolean flag for that, which adds back some of the
complexity we save by removing free()s. Nonetheless, this nets out
at a small reduction in overall code size, and considerably less code
than we would have had if we'd added the missing NULL-return checks
everywhere they were needed.
In passing, clean up the API comment for simple_prompt() and get rid
of a very-unnecessary malloc/free in its Windows code path.
This is nominally a bug fix, but it does not seem worth back-patching,
because the actual risk of an OOM failure in any of these places seems
pretty tiny, and all of them are client-side not server-side anyway.
This patch is by me, but it owes a great deal to Michael Paquier
who identified the problem and drafted a patch for fixing it the
other way.
Discussion: <CAB7nPqRu07Ot6iht9i9KRfYLpDaF2ZuUv5y_+72uP23ZAGysRg@mail.gmail.com>
2016-08-30 23:02:02 +02:00
|
|
|
char dropuser_buf[128];
|
2003-03-18 23:19:47 +01:00
|
|
|
|
|
|
|
PQExpBufferData sql;
|
|
|
|
|
|
|
|
PGconn *conn;
|
|
|
|
PGresult *result;
|
|
|
|
|
|
|
|
progname = get_progname(argv[0]);
|
2008-12-11 08:34:09 +01:00
|
|
|
set_pglocale_pgservice(argv[0], PG_TEXTDOMAIN("pgscripts"));
|
2004-06-01 04:54:09 +02:00
|
|
|
|
2003-03-18 23:19:47 +01:00
|
|
|
handle_help_version_opts(argc, argv, "dropuser", help);
|
|
|
|
|
2009-02-26 17:20:55 +01:00
|
|
|
while ((c = getopt_long(argc, argv, "h:p:U:wWei", long_options, &optindex)) != -1)
|
2003-03-18 23:19:47 +01:00
|
|
|
{
|
|
|
|
switch (c)
|
|
|
|
{
|
|
|
|
case 'h':
|
2012-10-12 19:35:40 +02:00
|
|
|
host = pg_strdup(optarg);
|
2003-03-18 23:19:47 +01:00
|
|
|
break;
|
|
|
|
case 'p':
|
2012-10-12 19:35:40 +02:00
|
|
|
port = pg_strdup(optarg);
|
2003-03-18 23:19:47 +01:00
|
|
|
break;
|
|
|
|
case 'U':
|
2012-10-12 19:35:40 +02:00
|
|
|
username = pg_strdup(optarg);
|
2003-03-18 23:19:47 +01:00
|
|
|
break;
|
2009-02-26 17:02:39 +01:00
|
|
|
case 'w':
|
|
|
|
prompt_password = TRI_NO;
|
|
|
|
break;
|
2003-03-18 23:19:47 +01:00
|
|
|
case 'W':
|
2009-02-26 17:02:39 +01:00
|
|
|
prompt_password = TRI_YES;
|
2003-03-18 23:19:47 +01:00
|
|
|
break;
|
|
|
|
case 'e':
|
|
|
|
echo = true;
|
|
|
|
break;
|
|
|
|
case 'i':
|
|
|
|
interactive = true;
|
|
|
|
break;
|
2011-08-30 18:06:40 +02:00
|
|
|
case 0:
|
|
|
|
/* this covers the long options */
|
|
|
|
break;
|
2003-03-18 23:19:47 +01:00
|
|
|
default:
|
2003-07-23 10:47:41 +02:00
|
|
|
fprintf(stderr, _("Try \"%s --help\" for more information.\n"), progname);
|
2003-03-18 23:19:47 +01:00
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (argc - optind)
|
|
|
|
{
|
|
|
|
case 0:
|
|
|
|
break;
|
|
|
|
case 1:
|
|
|
|
dropuser = argv[optind];
|
|
|
|
break;
|
|
|
|
default:
|
2003-07-23 10:47:41 +02:00
|
|
|
fprintf(stderr, _("%s: too many command-line arguments (first is \"%s\")\n"),
|
2003-03-18 23:19:47 +01:00
|
|
|
progname, argv[optind + 1]);
|
2003-07-23 10:47:41 +02:00
|
|
|
fprintf(stderr, _("Try \"%s --help\" for more information.\n"), progname);
|
2003-03-18 23:19:47 +01:00
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (dropuser == NULL)
|
2012-02-07 13:55:34 +01:00
|
|
|
{
|
|
|
|
if (interactive)
|
Simplify correct use of simple_prompt().
The previous API for this function had it returning a malloc'd string.
That meant that callers had to check for NULL return, which few of them
were doing, and it also meant that callers had to remember to free()
the string later, which required extra logic in most cases.
Instead, make simple_prompt() write into a buffer supplied by the caller.
Anywhere that the maximum required input length is reasonably small,
which is almost all of the callers, we can just use a local or static
array as the buffer instead of dealing with malloc/free.
A fair number of callers used "pointer == NULL" as a proxy for "haven't
requested the password yet". Maintaining the same behavior requires
adding a separate boolean flag for that, which adds back some of the
complexity we save by removing free()s. Nonetheless, this nets out
at a small reduction in overall code size, and considerably less code
than we would have had if we'd added the missing NULL-return checks
everywhere they were needed.
In passing, clean up the API comment for simple_prompt() and get rid
of a very-unnecessary malloc/free in its Windows code path.
This is nominally a bug fix, but it does not seem worth back-patching,
because the actual risk of an OOM failure in any of these places seems
pretty tiny, and all of them are client-side not server-side anyway.
This patch is by me, but it owes a great deal to Michael Paquier
who identified the problem and drafted a patch for fixing it the
other way.
Discussion: <CAB7nPqRu07Ot6iht9i9KRfYLpDaF2ZuUv5y_+72uP23ZAGysRg@mail.gmail.com>
2016-08-30 23:02:02 +02:00
|
|
|
{
|
|
|
|
simple_prompt("Enter name of role to drop: ",
|
|
|
|
dropuser_buf, sizeof(dropuser_buf), true);
|
|
|
|
dropuser = dropuser_buf;
|
|
|
|
}
|
2012-02-07 13:55:34 +01:00
|
|
|
else
|
|
|
|
{
|
|
|
|
fprintf(stderr, _("%s: missing required argument role name\n"), progname);
|
|
|
|
fprintf(stderr, _("Try \"%s --help\" for more information.\n"), progname);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
}
|
2003-03-18 23:19:47 +01:00
|
|
|
|
|
|
|
if (interactive)
|
|
|
|
{
|
2005-08-15 04:40:36 +02:00
|
|
|
printf(_("Role \"%s\" will be permanently removed.\n"), dropuser);
|
2006-09-22 20:50:41 +02:00
|
|
|
if (!yesno_prompt("Are you sure?"))
|
2003-03-18 23:19:47 +01:00
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
initPQExpBuffer(&sql);
|
2014-02-11 03:47:19 +01:00
|
|
|
appendPQExpBuffer(&sql, "DROP ROLE %s%s;",
|
2011-08-30 18:06:40 +02:00
|
|
|
(if_exists ? "IF EXISTS " : ""), fmtId(dropuser));
|
2003-03-18 23:19:47 +01:00
|
|
|
|
2015-12-23 21:45:43 +01:00
|
|
|
conn = connectDatabase("postgres", host, port, username, prompt_password,
|
Empty search_path in Autovacuum and non-psql/pgbench clients.
This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".
This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.
The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.
Back-patch to 9.3 (all supported versions).
Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.
Security: CVE-2018-1058
2018-02-26 16:39:44 +01:00
|
|
|
progname, echo, false, false);
|
2003-03-18 23:19:47 +01:00
|
|
|
|
|
|
|
if (echo)
|
2014-02-11 03:47:19 +01:00
|
|
|
printf("%s\n", sql.data);
|
2003-03-18 23:19:47 +01:00
|
|
|
result = PQexec(conn, sql.data);
|
|
|
|
|
|
|
|
if (PQresultStatus(result) != PGRES_COMMAND_OK)
|
|
|
|
{
|
2005-08-15 04:40:36 +02:00
|
|
|
fprintf(stderr, _("%s: removal of role \"%s\" failed: %s"),
|
2003-03-18 23:19:47 +01:00
|
|
|
progname, dropuser, PQerrorMessage(conn));
|
|
|
|
PQfinish(conn);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2006-05-29 21:52:46 +02:00
|
|
|
PQclear(result);
|
2003-03-18 23:19:47 +01:00
|
|
|
PQfinish(conn);
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
help(const char *progname)
|
|
|
|
{
|
2005-09-30 09:58:01 +02:00
|
|
|
printf(_("%s removes a PostgreSQL role.\n\n"), progname);
|
2003-03-18 23:19:47 +01:00
|
|
|
printf(_("Usage:\n"));
|
2005-09-30 09:58:01 +02:00
|
|
|
printf(_(" %s [OPTION]... [ROLENAME]\n"), progname);
|
2003-03-18 23:19:47 +01:00
|
|
|
printf(_("\nOptions:\n"));
|
2003-06-11 07:13:12 +02:00
|
|
|
printf(_(" -e, --echo show the commands being sent to the server\n"));
|
2012-02-07 13:55:34 +01:00
|
|
|
printf(_(" -i, --interactive prompt before deleting anything, and prompt for\n"
|
|
|
|
" role name if not specified\n"));
|
2012-06-18 01:44:00 +02:00
|
|
|
printf(_(" -V, --version output version information, then exit\n"));
|
2011-08-30 18:06:40 +02:00
|
|
|
printf(_(" --if-exists don't report error if user doesn't exist\n"));
|
2012-06-18 01:44:00 +02:00
|
|
|
printf(_(" -?, --help show this help, then exit\n"));
|
2009-02-25 14:03:07 +01:00
|
|
|
printf(_("\nConnection options:\n"));
|
2003-06-11 07:13:12 +02:00
|
|
|
printf(_(" -h, --host=HOSTNAME database server host or socket directory\n"));
|
2003-03-18 23:19:47 +01:00
|
|
|
printf(_(" -p, --port=PORT database server port\n"));
|
|
|
|
printf(_(" -U, --username=USERNAME user name to connect as (not the one to drop)\n"));
|
2009-02-26 17:02:39 +01:00
|
|
|
printf(_(" -w, --no-password never prompt for password\n"));
|
2007-12-11 20:57:32 +01:00
|
|
|
printf(_(" -W, --password force password prompt\n"));
|
2019-01-19 19:06:35 +01:00
|
|
|
printf(_("\nReport bugs to <pgsql-bugs@lists.postgresql.org>.\n"));
|
2003-03-18 23:19:47 +01:00
|
|
|
}
|