| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bryn Jeffries <bryn(dot)jeffries(at)sydney(dot)edu(dot)au> |
| Cc: | "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Irreversible SET ROLE |
| Date: | 2014-12-02 01:39:22 |
| Message-ID: | 12275.1417484362@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Bryn Jeffries <bryn(dot)jeffries(at)sydney(dot)edu(dot)au> writes:
> Tom Lane wrote
>> I think you might be able to do something with invoking untrusted code
>> inside a SECURITY DEFINER function. That context disables both SET ROLE
>> and SET SESSION AUTHORIZATION. I would not want to bet a lot on that
>> being bulletproof, however.
> Me neither. But out of interest, do you know what the intent was for the SESSION and LOCAL modifiers for SET ROLE?
> Both seem to do nothing more than regular SET ROLE, but are PostgreSQL extensions.
Those are just there because they're there for any SET <variable> command.
LOCAL means "set just for the duration of this transaction". SESSION is
only a noise word IIRC, ie, it lets you explicitly specify the default
behavior.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ilya Ashchepkov | 2014-12-02 05:40:55 | Re: PG94RC1- plv8 functions - problem with input parameter length |
| Previous Message | Bryn Jeffries | 2014-12-02 00:52:00 | Re: Irreversible SET ROLE |