Re: Fwd: A million users - Mailing list pgsql-general

From walther@technowledgy.de
Subject Re: Fwd: A million users
Date
Msg-id c607b5e4-93c9-4c3d-9a1c-e3210ab91fb8@technowledgy.de
Whole thread Raw
In response to Re: Fwd: A million users  (Eric Hanson <eric@aquameta.com>)
Responses Re: Fwd: A million users
List pgsql-general
Eric Hanson:
> Did you find some way to prevent RESET ROLE?  I once advocated for a NO 
> RESET option on SET ROLE [1] so that RESET ROLE would be impossible for 
> the rest of the session.  Still think it would be helpful.

Yeah, this is still on my list of things to research more about 
eventually - currently still unsolved.

For my use-case the NO RESET would need to apply until the end of the 
transaction, not end of the session.

I imagine something like an extension, that would:
- block any SET SESSION ROLE
- block any RESET ROLE
- only allow SET LOCAL ROLE when CURRENT_USER has the right to do so

Then the effect of SET LOCAL ROLE would still be reversed at the end of 
the transaction, but you could never "escape" a SET LOCAL ROLE that was 
set earlier.

Best,

Wolfgang



pgsql-general by date:

Previous
From: Eric Hanson
Date:
Subject: Re: Fwd: A million users
Next
From: "David G. Johnston"
Date:
Subject: Re: CVE-2024-10979 Vulnerability Impact on PostgreSQL 11.10