Re: Preventing non-superusers from altering session authorization

From: Nathan Bossart <nathandbossart(at)gmail(dot)com>
To: Joseph Koshakow <koshy44(at)gmail(dot)com>
Cc: PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Preventing non-superusers from altering session authorization
Date: 2023-07-10 20:31:58
Message-ID: 20230710203158.GA410521@nathanxps13
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sun, Jul 09, 2023 at 08:54:30PM -0400, Joseph Koshakow wrote:
> I just realized that you moved this comment from
> SetSessionAuthorization. I think we should leave the part about setting
> the GUC variable is_superuser on top of SetSessionAuthorization since
> that's where we actually set the GUC.

Okay. Here's a new patch set in which I believe I've addressed all
feedback. I didn't keep the GetAuthenticatedUserIsSuperuser() helper
function around, as I didn't see a strong need for it. And I haven't
touched the "is_superuser" GUC, either. I figured we can take up any
changes for it in the other thread.

--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com

Attachment Content-Type Size
v6-0001-Rename-session_auth_is_superuser-to-current_role_.patch text/x-diff 2.7 KB
v6-0002-Move-session-auth-privilege-check-to-check_sessio.patch text/x-diff 4.1 KB
v6-0003-Prevent-non-superusers-from-altering-session-auth.patch text/x-diff 6.3 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Nikolay Samokhvalov 2023-07-10 20:36:39 Re: pg_upgrade instructions involving "rsync --size-only" might lead to standby corruption?
Previous Message Nathan Bossart 2023-07-10 20:06:58 Re: add non-option reordering to in-tree getopt_long