| From: | Michał Kłeczek <michal(at)kleczek(dot)org> |
|---|---|
| To: | Calvin Guo <newoakllc2023(at)gmail(dot)com> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: set role command |
| Date: | 2025-11-24 13:13:19 |
| Message-ID: | 539FB9D9-7542-487E-AFA7-152EFF9FCC89@kleczek.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> On 24 Nov 2025, at 09:15, Calvin Guo <newoakllc2023(at)gmail(dot)com> wrote:
>
> I feel that set role logic is kindof misleading.
>
> I am a superuser, admin,
> I do:
> set role usera
> Now I am under the security context of usera, so I think running any sql is safe as long as it's allowed by usera.
>
> Which is not the case!
> as usera can do:
> set role userb; other sql,
> or
> reset role; orther sql,
> it turns out it's not safe at all, the sql can easily get access right of the super user. it can impernate userb though they do not have any relationship whatso ever.
>
> I really feel, once you "set role usera", you should behave like usera, you should NOT have the power say: hi, I can assume my super user power whenever I want. As this make the "set role usera" pretty much useless.
>
> It's unsafe!
It is a known issue and there were various proposals (need to search pgsql-hackers list). One of them being “set role” message at the protocol level (ie. unavailable from SQL). Another being “SET ROLE … PASSWORD …” and “RESET ROLE PASSWORD …” which would allow resetting the role only when password is known.
I don’t think any of them gained traction to be honest.
Kind regards,
--
Michal
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bernice Southey | 2025-11-24 13:17:53 | Re: Schema design: user account deletion vs. keeping family tree data |
| Previous Message | Laurenz Albe | 2025-11-24 12:57:49 | Re: set role command |