Re: Preventing non-superusers from altering session authorization - Mailing list pgsql-hackers

From Nathan Bossart
Subject Re: Preventing non-superusers from altering session authorization
Date
Msg-id 20230714041608.GA327716@nathanxps13
Whole thread Raw
In response to Re: Preventing non-superusers from altering session authorization  (Nathan Bossart <nathandbossart@gmail.com>)
List pgsql-hackers
On Wed, Jul 12, 2023 at 09:37:57PM -0700, Nathan Bossart wrote:
> On Mon, Jul 10, 2023 at 01:49:55PM -0700, Nathan Bossart wrote:
>> Great.  I'm going to wait a few more days in case anyone has additional
>> feedback, but otherwise I intend to commit this shortly.
> 
> I've committed 0001 for now.  I'm hoping to commit the other two patches
> within the next couple of days.

Committed.  I dwelled on whether to proceed with this change because it
doesn't completely solve the originally-stated problem; i.e., a role that
has changed its session authorization before losing superuser can still
take advantage of the privileges of the target role, which might include
reaquiring superuser.  However, I think SET ROLE is subject to basically
the same problem, and I'd argue that this change is strictly an
improvement, if for no other reason than it makes SET SESSION AUTHORIZATION
more consistent with SET ROLE.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com



pgsql-hackers by date:

Previous
From: Amit Langote
Date:
Subject: Re: In Postgres 16 BETA, should the ParseNamespaceItem have the same index as it's RangeTableEntry?
Next
From: Michael Paquier
Date:
Subject: Re: add non-option reordering to in-tree getopt_long