On Tue, Sep 26, 2023 at 08:33:25AM -0700, Yurii Rashkovskii wrote:
> This is a good start, indeed. I've amended my patch to include it.
Thanks for the new patch.
Looking again, I'm kind of hesitant to add too much qualification to this
note about losing superuser privileges. If we changed it to
Note that when a superuser chooses to SET ROLE to a non-superuser role,
they lose their superuser privileges, except for the privilege to
change to another role again using SET ROLE or RESET ROLE.
it almost seems to imply that a non-superuser role could obtain the ability
to switch to any role if they first SET ROLE to a superuser. In practice,
that's true because they could just give the session role SUPERUSER, but I
don't think that's the intent of this section.
I thought about changing it to something like
Note that when a superuser chooses to SET ROLE to a non-superuser role,
they lose their superuser privileges. However, if the current session
user is a superuser, they retain the ability to set the current user
identifier to any role via SET ROLE and RESET ROLE.
but it seemed weird to me to single out superusers here when it's always
true that the current session user retains the ability to SET ROLE to any
role they have the SET option on. That is already covered above in the
"Description" section, so I don't really see the need to belabor the point
by adding qualifications to the "Notes" section. ISTM the point of these
couple of paragraphs in the "Notes" section is to explain the effects on
privileges for schemas, tables, etc.
I still think we should update the existing note about privileges for
SET/RESET ROLE to something like the following:
diff --git a/doc/src/sgml/ref/set_role.sgml b/doc/src/sgml/ref/set_role.sgml
index 13bad1bf66..c91a95f5af 100644
--- a/doc/src/sgml/ref/set_role.sgml
+++ b/doc/src/sgml/ref/set_role.sgml
@@ -41,8 +41,10 @@ RESET ROLE
</para>
<para>
- The specified <replaceable class="parameter">role_name</replaceable>
- must be a role that the current session user is a member of.
+ The current session user must have the <literal>SET</option> for the
+ specified <replaceable class="parameter">role_name</replaceable>, either
+ directly or indirectly via a chain of memberships with the
+ <literal>SET</literal> option.
(If the session user is a superuser, any role can be selected.)
</para>
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com