Default session role broken in PostgreSQL 14.14?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Maxime Legault-Venne <[email protected]>
To: [email protected] <[email protected]>
Subject: Default session role broken in PostgreSQL 14.14?
Date: Mon, 18 Nov 2024 21:24:04 +0000
Message-ID: <DM6PR08MB4203384F44E9680BFDCC34A0FE272@DM6PR08MB4203.namprd08.prod.outlook.com> (raw)

Hello,

I noticed a change of behaviour since PostgreSQL 14.14 that is breaking the permissions in my application: it looks like the “ALTER ROLE <role> IN DATABASE <db> SET ROLE <session-role>” is no longer applied when <role> is connecting to the database. For example, I have this setup to create my database and roles:

-- Create my admin group for the new db
CREATE ROLE db1_admin_group;
GRANT db1_admin_group TO postgres;

-- Create the new db
CREATE DATABASE db1 OWNER db1_admin_group;

-- Grant proper permissions to the admin group
GRANT pg_write_all_data, pg_read_all_data TO db1_admin_group;
GRANT CONNECT ON DATABASE db1 TO db1_admin_group;

-- Create a new user in the admin group
CREATE USER admin1 PASSWORD 'admin1pass';
GRANT db1_admin_group TO admin1;
ALTER ROLE admin1 IN DATABASE db1 SET ROLE db1_admin_group;

-- Then connecting on db1, revoke all default permissions
REVOKE ALL ON DATABASE db1 FROM public;
REVOKE ALL ON SCHEMA public FROM public;

This setup ensures me that the database objects are properly created as that db’s admin group without the users needing to remember to run a “SET ROLE db1_admin_group” after establishing a connection to the database.

In versions 14.13 and earlier, admin1 connecting to db1 would get the following:

db1=> select current_user, session_user;
  current_user   | session_user
-----------------+--------------
db1_admin_group | admin1

But with 14.14, I get this result:

db1=> select current_user, session_user;
current_user | session_user
--------------+--------------
admin1       | admin1

I know there was this CVE fixed in the latest release https://www.postgresql.org/support/security/CVE-2024-10978/, could it be related? Is the new behaviour I’m observing expected or is it an issue? If it is expected, is there any other recommended way I could achieve what I’m trying to do?

Thank you!
Max

view thread (2+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: Default session role broken in PostgreSQL 14.14?
  In-Reply-To: <DM6PR08MB4203384F44E9680BFDCC34A0FE272@DM6PR08MB4203.namprd08.prod.outlook.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox