ALTER ROLE/DATABASE RESET ALL versus security

Skip site navigation (1) Skip section navigation (2)

Peripheral Links

Text Size: Normal / Large
Donate
Contact

The world's most advanced open source database.

ALTER ROLE/DATABASE RESET ALL versus security

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Alvaro Herrera <alvherre(at)commandprompt(dot)com>
Cc:	pgsql-hackers(at)postgreSQL(dot)org
Subject:	ALTER ROLE/DATABASE RESET ALL versus security
Date:	2009-11-14 00:08:22
Message-ID:	28907.1258157302@sss.pgh.pa.us (view raw or flat)
Thread:
Lists:	pgsql-hackers

It looks to me like the code in AlterSetting() will allow an ordinary
user to blow away all settings for himself.  Even those that are for
SUSET variables and were presumably set for him by a superuser.  Isn't
this a security hole?  I would expect that an unprivileged user should
not be able to change such settings, not even to the extent of
reverting to the installation-wide default.

			regards, tom lane

Responses

Re: ALTER ROLE/DATABASE RESET ALL versus security at 2009-11-14 02:01:43 from Bernd Helmle
Re: ALTER ROLE/DATABASE RESET ALL versus security at 2009-11-15 19:34:06 from Alvaro Herrera
Re: ALTER ROLE/DATABASE RESET ALL versus security at 2010-02-19 18:22:22 from Alvaro Herrera

pgsql-hackers by date

Next: From: James Mansion Date: 2009-11-14 00:14:28

Subject: Re: Listen / Notify rewrite

Previous: From: Alvaro Herrera Date: 2009-11-14 00:05:14

Subject: Re: tsearch parser inefficiency if text includes urls or emails - new version

Next:	From: James Mansion	Date: 2009-11-14 00:14:28
	Subject: Re: Listen / Notify rewrite
Previous:	From: Alvaro Herrera	Date: 2009-11-14 00:05:14
	Subject: Re: tsearch parser inefficiency if text includes urls or emails - new version

Search

Peripheral Links

ALTER ROLE/DATABASE RESET ALL versus security

Responses

pgsql-hackers by date