> On 24 Nov 2025, at 09:15, Calvin Guo <newoakllc2023@gmail.com> wrote:
>
> I feel that set role logic is kindof misleading.
>
> I am a superuser, admin,
> I do:
> set role usera
> Now I am under the security context of usera, so I think running any sql is safe as long as it's allowed by usera.
>
> Which is not the case!
> as usera can do:
> set role userb; other sql,
> or
> reset role; orther sql,
> it turns out it's not safe at all, the sql can easily get access right of the super user. it can impernate userb
thoughthey do not have any relationship whatso ever.
>
> I really feel, once you "set role usera", you should behave like usera, you should NOT have the power say: hi, I can
assumemy super user power whenever I want. As this make the "set role usera" pretty much useless.
>
> It's unsafe!
It is a known issue and there were various proposals (need to search pgsql-hackers list). One of them being “set role”
messageat the protocol level (ie. unavailable from SQL). Another being “SET ROLE … PASSWORD …” and “RESET ROLE PASSWORD
…”which would allow resetting the role only when password is known.
I don’t think any of them gained traction to be honest.
Kind regards,
--
Michal
