From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Toomas <toomas(dot)kristin(at)gmail(dot)com>, Vijaykumar Jain <vijaykumarjain(dot)github(at)gmail(dot)com>, pgsql-general <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Can db user change own password? |
Date: | 2021-10-21 17:29:08 |
Message-ID: | c501fee1-8290-83ad-737e-c7c75a5409b8@aklaver.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 10/21/21 09:53, Tom Lane wrote:
> Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> writes:
> It's fairly obvious what's happening here: psql sends ALTER USER xxx
> PASSWORD ..., where it gets xxx from PQuser(), so that is the role name
> that was logged in with. There are any number of reasons why that might
> not be the currently active role.
>
> The psql man page says
>
> \password [ username ]
> Changes the password of the specified user (by default, the
> current user).
>
> So I'd say this is not doing what the documentation says.
Oops. That is where I got hung up.
>
> With server versions >= 9.5 we could dodge the issue by sending
> ALTER USER CURRENT_USER PASSWORD .... For older servers,
> I suppose we could do "SELECT CURRENT_USER" first.
>
> I'm not sure if we want to change a security-relevant behavior
> in released branches. But if we don't, we probably need to
> change the docs to something like "(by default, the logged-in
> user)".
I would suggest session(_)user to make it match with the rest of
documentation.
>
> regards, tom lane
>
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
From | Date | Subject | |
---|---|---|---|
Next Message | Toomas | 2021-10-21 17:32:18 | Re: Can db user change own password? |
Previous Message | Tom Lane | 2021-10-21 16:53:57 | Re: Can db user change own password? |