Home > mailing lists

Re: ALTER ROLE/DATABASE RESET ALL versus security - Mailing list pgsql-hackers

From	Bruce Momjian
Subject	Re: ALTER ROLE/DATABASE RESET ALL versus security
Date	February 27, 2010 02:46:21
Msg-id	201002270338.o1R3cnB28008@momjian.us Whole thread Raw
In response to	Re: ALTER ROLE/DATABASE RESET ALL versus security (Alvaro Herrera <alvherre@commandprompt.com>)
Responses	Re: ALTER ROLE/DATABASE RESET ALL versus security
List	pgsql-hackers

Tree view

Alvaro Herrera wrote:
> Tom Lane wrote:
> > Alvaro Herrera <alvherre@commandprompt.com> writes:
> > > Tom Lane wrote:
> > >> It looks to me like the code in AlterSetting() will allow an ordinary
> > >> user to blow away all settings for himself.  Even those that are for
> > >> SUSET variables and were presumably set for him by a superuser.  Isn't
> > >> this a security hole?  I would expect that an unprivileged user should
> > >> not be able to change such settings, not even to the extent of
> > >> reverting to the installation-wide default.
> > 
> > > Yes, it is, but this is not a new hole.  This works just fine in 8.4
> > > too:
> > 
> > So I'd argue for changing it in 8.4 too.
> 
> Understood.  I'm starting to look at what this requires.

Any progress on this?

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.comPG East:  http://www.enterprisedb.com/community/nav-pg-east-2010.do + If your life is a hard
drive,Christ can be your backup. +

pgsql-hackers by date:

From: Bruce Momjian
Date: 27 February 2010, 02:45:36
Subject: Re: Lock Wait Statistics (next commitfest)

From: Greg Stark
Date: 27 February 2010, 02:47:29
Subject: Re: Hot Standby query cancellation and Streaming Replication integration

Re: ALTER ROLE/DATABASE RESET ALL versus security - Mailing list pgsql-hackers

Previous

Next