From: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
To: Craig Ringer <craig(at)2ndquadrant(dot)com>
Cc: PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: RFC: Non-user-resettable SET SESSION AUTHORISATION
Date: 2015-05-13 04:03:08
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Craig Ringer wrote:
> Hi all
> For some time I've wanted a way to "SET SESSION AUTHORISATION" or "SET
> ROLE" in a way that cannot simply be RESET, so that a connection may be
> handed to a less-trusted service or application to do some work with.

Some years back, I checked the SQL standard for insight on how they
handle this stuff (courtesy of Jim Nasby IIRC). It took me a while to
figure out that the way they do it is not to have a RESET command in the
first place! In their model, you enter a secure execution context (for
example, an SQL function) by calling SET SESSION AUTHORIZATION; and once
there, the only way to revert to the original session authorization is
to exit the execution context -- and once that happens, the "attacker"
no longer has control. Since they have reduced privileges, they can't
call SET SESSION AUTHORIZATION themselves to elevate their access. In
this model, you're automatically protected.

I mentioned this in some developer meeting; got blank stares back, IIRC.
I mentioned it to Stephen in hallway track, and as I recall he was in
agreement with what I was proposing. Biggest problem is, I can't recall
in detail what it was.

Not sure this helps you any ... Chilean $2 which are probably not worth
much [currently], I guess.

Álvaro Herrera
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2015-05-13 04:10:36 Re: Sequence Access Method WIP
Previous Message Abhijit Menon-Sen 2015-05-13 03:53:23 Re: a fast bloat measurement tool (was Re: Measuring relation free space)