From: | Antti Haapala <antti(dot)haapala(at)iki(dot)fi> |
---|---|
To: | Shridhar Daithankar <shridhar_daithankar(at)persistent(dot)co(dot)in> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Switching connection on the fly |
Date: | 2003-01-27 15:20:08 |
Message-ID: | Pine.GSO.4.44.0301271709270.5339-100000@paju.oulu.fi |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, 27 Jan 2003, Shridhar Daithankar wrote:
> I went thr http://candle.pha.pa.us/main/writings/pgsql/sgml/sql-set-session-
> authorization.html to get what it is. I didn't have an idea of such thing.
>
> Back to the topic, yes, pretty much except for few differences.
>
> 1) It says 'The session user identifier may be changed only if the initial
> session user (the authenticated user) had the superuser privilege. Otherwise,
> the command is accepted only if it specifies the authenticated user name.'
>
> That mean an ordinary user can not set session to any other authorised user. It
> is like running setuid program with input accessible to any user.
>
> 2) Where do I specify password? I mean I take a password and start a connection
> to database. But when it comes to switching connection, there is no password.
> Probably because only superuser can switch connection?
>
> If there is a password clause there and if any user can switch to any user,
> then it is the thing I am looking for. Probably even excluding switching to
> superuser as a security measure.
I need this feature also. The problem with set session authorization is
that you can always change back so it's not that secure. Actually I wanted
to have a function that could augment the privileges of user if supplied
the right password, which in turn had nothing to do with original
password. I believe it could be easy to implement such a function in C.
But it could be better and easier to have pl/pgsql function that could set
the session authorization.
So, could it be made possible that pl/pgsql functions created by superuser
could "set session authorization" even when not called by superuser (or
user logged in as superuser)?
--
Antti Haapala
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2003-01-27 15:21:10 | Re: Request for qualified column names |
Previous Message | Michael Meskes | 2003-01-27 15:09:00 | Re: ECPG, threading and pooling |