pgsql: Fix privilege check for SET SESSION AUTHORIZATION. - Mailing list pgsql-committers

From Nathan Bossart
Subject pgsql: Fix privilege check for SET SESSION AUTHORIZATION.
Date
Msg-id E1qKADf-000Gu7-A5@gemulon.postgresql.org
Whole thread Raw
List pgsql-committers
Fix privilege check for SET SESSION AUTHORIZATION.

Presently, the privilege check for SET SESSION AUTHORIZATION checks
whether the original authenticated role was a superuser at
connection start time.  Even if the role loses the superuser
attribute, its existing sessions are permitted to change session
authorization to any role.

This commit modifies this privilege check to verify the original
authenticated role currently has superuser.  In the event that the
authenticated role loses superuser within a session authorization
change, the authorization change will remain in effect, which means
the user can still take advantage of the target role's privileges.
However, [RE]SET SESSION AUTHORIZATION will only permit switching
to the original authenticated role.

Author: Joseph Koshakow
Discussion: https://postgr.es/m/CAAvxfHc-HHzONQ2oXdvhFF9ayRnidPwK%2BfVBhRzaBWYYLVQL-g%40mail.gmail.com

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/a0363ab7aafda7d16ae59e72d86866c02ad3d657

Modified Files
--------------
doc/src/sgml/ref/set_session_auth.sgml |  2 +-
src/backend/commands/variable.c        |  2 +-
src/backend/utils/init/miscinit.c      | 28 ++++++++--------------------
src/include/miscadmin.h                |  1 -
4 files changed, 10 insertions(+), 23 deletions(-)


pgsql-committers by date:

Previous
From: Amit Kapila
Date:
Subject: pgsql: Allow the use of a hash index on the subscriber during replicati
Next
From: Amit Langote
Date:
Subject: pgsql: Add missing initializations of p_perminfo