Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vNVWd-004nre-2l for pgsql-general@arkaria.postgresql.org; Mon, 24 Nov 2025 12:18:35 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vNVWb-000npF-1d for pgsql-general@arkaria.postgresql.org; Mon, 24 Nov 2025 12:18:33 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vNVWb-000np7-0a for pgsql-general@lists.postgresql.org; Mon, 24 Nov 2025 12:18:33 +0000 Received: from mail-lj1-x241.google.com ([2a00:1450:4864:20::241]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vNVWZ-001EB3-1p for pgsql-general@lists.postgresql.org; Mon, 24 Nov 2025 12:18:33 +0000 Received: by mail-lj1-x241.google.com with SMTP id 38308e7fff4ca-37bb8bef4cdso39708421fa.3 for ; Mon, 24 Nov 2025 04:18:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763986709; x=1764591509; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:sender:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KFNVgK92Suc6lAlCD8iAdq5uCQzxUIjcRu/KmKdfZzQ=; b=eBF4z/oeSF4NZzvAQbQKvDuS9dZQIpDrsiCWRzb218mRL6U5fvScO0h3wvFYQJtIPS v6AvXXrqLMNCnVwDB5tp8kTUqONtob/mklvjnGsG9tUB4BNPaB7W827XYyafcBt9qGAJ qyYKhOMdFOvxnkTPjUkGqphQNHNHWA21960Cion+qI/LqhNPLAY8+48kTqPwyosEhhga opGQdiRhw9hDiFXrwsKiKWPvW4xjuBzrLh3vPmTyfvEBRC0bAAmKiBt5r1JS4s42gulF 1Dxgf2fk3ngOzTpEeBM8mgA4Mc2ns0/E4G18v8TXEtWNnUIbuh8V6HcBK5BhvAFfSqxw cGgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763986709; x=1764591509; h=cc:to:subject:message-id:date:from:x-google-sender-delegation :sender:in-reply-to:references:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=KFNVgK92Suc6lAlCD8iAdq5uCQzxUIjcRu/KmKdfZzQ=; b=UBv2N24RzWxgX/uvgWGQISH18BPlA/0fKAD6n4XrDJcdY45AQDfr3nEjClJSpa/NfY 3LWFUpJLDh46h0GSYfcJOOImYyBdsNICWxgnY1h8d4waAgdtehY74SteNuCUl6kWPaFU hevbiid3qdI2urK8ou6oA9kYP0fTh2T3MMoReq4ev7rAmX5yLaOf/B2EKo9rGKwtz0CA aS7lxglK03XRmWV1Gb0LbyowRBcAATBFsvnbWHi/LY3anCf0l1mriBiI03K+aATVgpWJ iNd0fgatPke5yIeQnMZRYlGoApFcRb+txByXHp7Jz1aaMFccHq8XTry+TUF+QsOrmpng wkhw== X-Gm-Message-State: AOJu0YzLf55GVPYo5sRuGJNqlZxpYcRX0HgowCaMsj7jByiMwjO6MYzR GalWHT39C4j562LMQYRbhiggB9WvunpXwxVb/qx3mZPXS8cfgdMnDbx6DIt/v6qX6a9Ryd5Tm9H t6pIdWzm4E+H9PWaiOOhQBSonuXCQRqjoMPPuhpg= X-Gm-Gg: ASbGncsXxnjnQqspqlc+kY8KZCGbNw1TbmzU5XNz2WbG7OHnzIHwrUqUPegZgW6h0u4 BVUgLKzE6V8D4OSunEfxCZvdO6iMJg6XqkqjB+7wDn6xjzWDolygdh6YyuRZzO3U8vV+36i1Ul2 ZNSqA52z1RaZ4KhdnRXjunpOfKb28ckHDHjdwoQIk3nK4lOtkENAShQHy8PNoZavBan1NVvEG1z T1xWSU4AhajI3A8zTAbM18T+SE1Fof3EB3Utjzk9rm8FLkjYUjtv+jlMSDnmw3mgCCldLs= X-Google-Smtp-Source: AGHT+IHVEDQBa385hSqi6w29HCur6pds7XsxK5eC5yYQ3zcv0IgjJuwpBV36h48FpoML6QBWnXwE5TJh8EO8rjm7fG4= X-Received: by 2002:a2e:a01a:0:b0:37b:94b0:9c94 with SMTP id 38308e7fff4ca-37cd927dc36mr29111041fa.29.1763986708323; Mon, 24 Nov 2025 04:18:28 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Sender: calvinguo@gmail.com X-Google-Sender-Delegation: calvinguo@gmail.com From: Calvin Guo Date: Mon, 24 Nov 2025 20:18:18 +0800 X-Google-Sender-Auth: XF9GtAQ6hpKcT3JbUvsNJ1elib8 X-Gm-Features: AWmQ_bm8rrXLrDgF685QgD69i0D6WPv7gghRQE4T6InBk3nmJmORdbuHbyJ6l28 Message-ID: Subject: Re: set role command To: rob stone Cc: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="0000000000002362e4064456296b" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000002362e4064456296b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable No, that's not the case. right now: usera can totally do: reset role, and then behave like userb. this behavior should not be allowed. userb can impernate usera, once the impersonation is done, it becomes usera, and it should NOT be able to impersonate userb. but right now, reset role will allow it. On Mon, Nov 24, 2025 at 8:06=E2=80=AFPM rob stone w= rote: > On Mon, 2025-11-24 at 16:15 +0800, Calvin Guo wrote: > > I feel that set role logic is kindof misleading. > > > > I am a superuser, admin, > > I do: > > set role usera > > Now I am under the security context of usera, so I think running any > > sql is safe as long as it's allowed by usera. > > > > Which is not the case! > > as usera can do: > > set role userb; other sql, > > or > > reset role; orther sql, > > it turns out it's not safe at all, the sql can easily get access > > right of the super user. it can impernate userb though they do not > > have any relationship whatso ever. > > > > I really feel, once you "set role usera", you should behave like > > usera, you should NOT have the power say: hi, I can assume my super > > user power whenever I want. As this make the "set role usera" pretty > > much useless. > > > > It's unsafe! > > > Hello, > > firstly you have to create a role usera and in doing so give it the > privileges you want usera to have. You can also restrict its privileges > by specifying the NO* range of options. > > So, if you are logged in as userb, say, doing "set role usera" simply > switches you out of userb into usera, and you behave as usera in that > session. > > HTH, > Rob > > > > --0000000000002362e4064456296b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
No, that's not the case. right now: usera can totally = do: reset role, and then behave like userb.
this behavior should not be= allowed.=C2=A0
userb can impernate usera, once the impersonation= is done, it becomes usera, and it should NOT be able to impersonate userb.= but right now, reset role will allow it.

On Mon= , Nov 24, 2025 at 8:06=E2=80=AFPM rob stone <floriparob@tpg.com.au> wrote:
On Mon, 2025-11-24 at 16:15 +0800, Calvi= n Guo wrote:
> I feel that set role logic is kindof misleading.
>
> I am a superuser, admin,
> I do:
> set role usera
> Now I am under the security context of usera, so I think running any > sql is safe as long as it's allowed by usera.
>
> Which is not the case!
> as usera can do:
> set role userb; other sql,
> or=C2=A0
> reset role; orther sql,
> it turns out it's not safe at all, the sql can easily get access > right of the super user. it can impernate userb though they do not
> have any relationship whatso ever.
>
> I really feel, once you "set role usera", you should behave = like
> usera, you should NOT have the power say: hi, I can assume my super > user power whenever I want. As this make the "set role usera"= ; pretty
> much useless.
>
> It's unsafe!


Hello,

firstly you have to create a role usera and in doing so give it the
privileges you want usera to have. You can also restrict its privileges
by specifying the NO* range of options.

So, if you are logged in as userb, say, doing "set role usera" si= mply
switches you out of userb into usera, and you behave as usera in that
session.

HTH,
Rob



--0000000000002362e4064456296b--