Move privilege check for SET SESSION AUTHORIZATION.

Presently, the privilege check for SET SESSION AUTHORIZATION is performed in session_authorization's assign_hook. A relevant comment states, "It's OK because the check does not require catalog access and can't fail during an end-of-transaction GUC reversion..." However, we plan to add a catalog lookup to this privilege check in a follow-up commit. This commit moves this privilege check to the check_hook for session_authorization. Like check_role(), we do not throw a hard error for insufficient privileges when the source is PGC_S_TEST. Author: Joseph Koshakow Discussion: https://postgr.es/m/CAAvxfHc-HHzONQ2oXdvhFF9ayRnidPwK%2BfVBhRzaBWYYLVQL-g%40mail.gmail.com
2025-07-05 07:21:24 +03:00 · 2023-07-13 21:10:36 -07:00
parent edca342434
commit 9987a7bf34
3 changed files with 41 additions and 22 deletions
--- a/src/backend/commands/variable.c
+++ b/src/backend/commands/variable.c
@ -821,14 +821,16 @@ check_session_authorization(char **newval, void **extra, GucSource source)
 		return false;
 	}

+	/*
+	 * When source == PGC_S_TEST, we don't throw a hard error for a
+	 * nonexistent user name or insufficient privileges, only a NOTICE. See
+	 * comments in guc.h.
+	 */
+
 	/* Look up the username */
 	roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(*newval));
 	if (!HeapTupleIsValid(roleTup))
 	{
-		/*
-		 * When source == PGC_S_TEST, we don't throw a hard error for a
-		 * nonexistent user name, only a NOTICE.  See comments in guc.h.
-		 */
 		if (source == PGC_S_TEST)
 		{
 			ereport(NOTICE,
@ -846,6 +848,28 @@ check_session_authorization(char **newval, void **extra, GucSource source)

 	ReleaseSysCache(roleTup);

+	/*
+	 * Only superusers may SET SESSION AUTHORIZATION a role other than itself.
+	 * Note that in case of multiple SETs in a single session, the original
+	 * authenticated user's superuserness is what matters.
+	 */
+	if (roleid != GetAuthenticatedUserId() &&
+		!GetAuthenticatedUserIsSuperuser())
+	{
+		if (source == PGC_S_TEST)
+		{
+			ereport(NOTICE,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("permission will be denied to set session authorization \"%s\"",
+							*newval)));
+			return true;
+		}
+		GUC_check_errcode(ERRCODE_INSUFFICIENT_PRIVILEGE);
+		GUC_check_errmsg("permission denied to set session authorization \"%s\"",
+						 *newval);
+		return false;
+	}
+
 	/* Set up "extra" struct for assign_session_authorization to use */
 	myextra = (role_auth_extra *) guc_malloc(LOG, sizeof(role_auth_extra));
 	if (!myextra)