Postgres Pro
Downloads
Home   >   mailing lists

ALTER ROLE/DATABASE RESET ALL versus security - Mailing list pgsql-hackers

From Tom Lane
Subject ALTER ROLE/DATABASE RESET ALL versus security
Date
Msg-id 28907.1258157302@sss.pgh.pa.us
Whole thread Raw
Responses Re: ALTER ROLE/DATABASE RESET ALL versus security
Re: ALTER ROLE/DATABASE RESET ALL versus security
Re: ALTER ROLE/DATABASE RESET ALL versus security
List pgsql-hackers
Tree view 
It looks to me like the code in AlterSetting() will allow an ordinary
user to blow away all settings for himself.  Even those that are for
SUSET variables and were presumably set for him by a superuser.  Isn't
this a security hole?  I would expect that an unprivileged user should
not be able to change such settings, not even to the extent of
reverting to the installation-wide default.
        regards, tom lane

pgsql-hackers by date:

Previous
From: Alvaro Herrera
Date:
Subject: Re: tsearch parser inefficiency if text includes urls or emails - new version
Next
From: James Mansion
Date:
Subject: Re: Listen / Notify rewrite