Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tEd02-008e2i-C8
	for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 23:23:42 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tEd00-00DVN7-Mn
	for pgsql-general@arkaria.postgresql.org; Fri, 22 Nov 2024 23:23:40 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <eric@aquameta.com>)
	id 1tEd00-00DVMz-5p
	for pgsql-general@lists.postgresql.org; Fri, 22 Nov 2024 23:23:40 +0000
Received: from mail-ej1-x62d.google.com ([2a00:1450:4864:20::62d])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <eric@aquameta.com>)
	id 1tEczs-003I2q-Mp
	for pgsql-general@postgresql.org; Fri, 22 Nov 2024 23:23:38 +0000
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-aa4cb5fcc06so445926366b.0
        for <pgsql-general@postgresql.org>; Fri, 22 Nov 2024 15:23:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=aquameta-com.20230601.gappssmtp.com; s=20230601; t=1732317811; x=1732922611; darn=postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=SLnR+rle96GGiILIPsY2solQB0UVG8UhAYwKWthhzCY=;
        b=IH8ZBWggaB/yhnyJVaFrByVqXFJqe5TPHvePJOrFSp+W8cnOqW2WC3MYo88CPZjzec
         d7ctUW4M+ClnAxlCnzgWfReyHP1iBURvH3A7MlNi0OL1rlQxTj+nhdSJNJotrxD66OyV
         CYFuvua6i5j9vcW4NWrgfDQPzE6xQrhi/fcHiXtHHrRHSRkZbnuVd0sPjY+fENQlYHbR
         trPeX4MJduoPy9dyGkeu9VhPFYebvpf/DyrMsLAky3XZiOA4zWNot71bon+C16FuOSiC
         T4d27Ly4mEceARmEZLiIsuuBbiUDo6fMULJLmrTJs2zGZIWFpJr9/izqdhlvCPtd8OC9
         6smQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1732317811; x=1732922611;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=SLnR+rle96GGiILIPsY2solQB0UVG8UhAYwKWthhzCY=;
        b=fwDzHTuBlZ97KS/dU1yQBT2Ol9rJdCFgxpXyjb7x74kAMPnaso6zKeAifDh/yqO8Dx
         pT8NA1eonOjKFmFw7QaE1H6hCCpjQlz1IOCedIcH4NINh3LKTF4ZcYmAp8obdpPtc1oY
         7Y3IralnKT9X47lNPZD+Db+JdKxL5Lng1JBKoheTt53EfnDLd81x29z6th7XXJWEMwi7
         YBrBCGo+/GLD0weSAowUHoejdItE6QP0HGqbkEIz2RarHgoNBox1WeBm6amCSR1KAwxg
         nl5cnfKyCv9OFU7JBiSGYnRTeevqkIg09EQgxfjc+aom7GyzlzFKuK7gvA4uqhOD0BP8
         RkjA==
X-Forwarded-Encrypted: i=1; AJvYcCVJx6/fqBYJdKMxIYHNypt27awBiFt1nERk/feufpUnGXivBcVqBCJBAO+zE0hWgraEquriZWqkGJsSuBcs@postgresql.org
X-Gm-Message-State: AOJu0YyqG2MbbIvFH5KXlXQwAV182n89rEB/Q59WRlYyGfWzZ1pJznQS
	5Bcy6EnwQZVNNVGHGZjy8YWndDso6oTegV5lS5pqUGu4Y3lcOOyixayjYmCVwkXEo+7Gkq0+H5o
	/V3gXfwYCMW7dVCHWJZxNlI3JmFzi9IlgrDOf
X-Gm-Gg: ASbGncscF61P7M3/E+fwRABvHvSuQTAhJMzvIuzbFxZXUOYaFLoWVHLRiIFWIOvqvaz
	qweWf6xQFF0GOccRbVvrR34GnRKIpoEZD
X-Google-Smtp-Source: AGHT+IFg1SCbV/a23rP1G/qey0JO4sth9xoVt7jL8/ahHYR5cO4ru9WRJInidRYVIaV0abK4Q9nNdPdHNRQ94sRDBik=
X-Received: by 2002:a17:906:32cb:b0:aa4:a810:79c3 with SMTP id
 a640c23a62f3a-aa5099764cemr307122266b.26.1732317810600; Fri, 22 Nov 2024
 15:23:30 -0800 (PST)
MIME-Version: 1.0
References: <CAM+6J97Jd5WnxdyFu1-s+wvJrWPL_YvP3yeuQVwy3HJvK=KUTQ@mail.gmail.com>
 <202411131029.qchduffwgzhm@alvherre.pgsql> <CAFCRh-9Le3fkJMWGuHdFPP-kfHdEAAchFZf0msEq3hNijixbFw@mail.gmail.com>
 <7d32e088-34a7-421a-9398-80958acb3f64@technowledgy.de> <CACA6kxh5EWZPMR5XCEXh3C-t-bBfdhbge1z+nGFpCOUgbZK+EA@mail.gmail.com>
 <c607b5e4-93c9-4c3d-9a1c-e3210ab91fb8@technowledgy.de>
In-Reply-To: <c607b5e4-93c9-4c3d-9a1c-e3210ab91fb8@technowledgy.de>
From: Eric Hanson <eric@aquameta.com>
Date: Fri, 22 Nov 2024 17:23:19 -0600
Message-ID: <CACA6kxiRjFCwq6toyY4iXAcQuQsgnobdcmXgdJTZ82fp4idpZg@mail.gmail.com>
Subject: Re: Fwd: A million users
To: walther@technowledgy.de
Cc: Dominique Devienne <ddevienne@gmail.com>, Alvaro Herrera <alvherre@alvh.no-ip.org>, 
	Vijaykumar Jain <vijaykumarjain.github@gmail.com>, 
	pgsql-general <pgsql-general@postgresql.org>, "kaare@jasonic.dk" <kaare@jasonic.dk>
Content-Type: multipart/alternative; boundary="000000000000bd45ed062788ab8c"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CACA6kxiRjFCwq6toyY4iXAcQuQsgnobdcmXgdJTZ82fp4idpZg%40mail.gmail.com>
Precedence: bulk

--000000000000bd45ed062788ab8c
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Nov 22, 2024 at 6:57=E2=80=AFAM <walther@technowledgy.de> wrote:

> Yeah, this is still on my list of things to research more about
> eventually - currently still unsolved.
>
> For my use-case the NO RESET would need to apply until the end of the
> transaction, not end of the session.
>
> I imagine something like an extension, that would:
> - block any SET SESSION ROLE
> - block any RESET ROLE
> - only allow SET LOCAL ROLE when CURRENT_USER has the right to do so
>
> Then the effect of SET LOCAL ROLE would still be reversed at the end of
> the transaction, but you could never "escape" a SET LOCAL ROLE that was
> set earlier.


As things are now, would someone be able to do a RESET ROLE if *any*
code/function had a SQL injection vulnerability, or only if there was one
in the pooler?  Or (ideally) neither.  That's what a NO RESET option (or
some similar functionality) would provide with certainty.

I found this extension:

https://github.com/pgaudit/set_user

but haven't used it.  Seems to address this though, they introduce a
set_session_auth(token) function and then reset_role requires the token if
session_auth has been set.

Thanks,
Eric

--000000000000bd45ed062788ab8c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Fri, Nov 22, 2024 at 6:57=E2=80=AFAM &=
lt;<a href=3D"mailto:walther@technowledgy.de">walther@technowledgy.de</a>&g=
t; wrote:</div><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote"=
 style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);p=
adding-left:1ex">Yeah, this is still on my list of things to research more =
about <br>
eventually - currently still unsolved.<br>
<br>
For my use-case the NO RESET would need to apply until the end of the <br>
transaction, not end of the session.<br>
<br>
I imagine something like an extension, that would:<br>
- block any SET SESSION ROLE<br>
- block any RESET ROLE<br>
- only allow SET LOCAL ROLE when CURRENT_USER has the right to do so<br>
<br>
Then the effect of SET LOCAL ROLE would still be reversed at the end of <br=
>
the transaction, but you could never &quot;escape&quot; a SET LOCAL ROLE th=
at was <br>
set earlier.</blockquote><div><br></div><div>As things are now, would someo=
ne be able to do a RESET ROLE if *any* code/function had a SQL injection vu=
lnerability, or only if there was one in the pooler?=C2=A0 Or (ideally) nei=
ther.=C2=A0 That&#39;s what a NO RESET option (or some similar functionalit=
y) would provide with certainty.</div><div><br></div><div><div>I found this=
 extension:</div><div><br></div><div><a href=3D"https://github.com/pgaudit/=
set_user">https://github.com/pgaudit/set_user</a></div><div><br></div><div>=
but haven&#39;t used it.=C2=A0 Seems to address this though, they introduce=
 a set_session_auth(token) function and then reset_role requires the token =
if session_auth has been set.</div><div><br></div></div><div>Thanks,</div><=
div>Eric</div></div></div>

--000000000000bd45ed062788ab8c--