mirror of
https://github.com/postgres/postgres.git
synced 2025-12-19 17:02:53 +03:00
eedb068c0a
and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600
126 lines
3.9 KiB
Plaintext
126 lines
3.9 KiB
Plaintext
<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.17 2008/01/03 21:23:15 tgl Exp $ -->
|
|
<refentry id="SQL-SET-SESSION-AUTHORIZATION">
|
|
<refmeta>
|
|
<refentrytitle id="sql-set-session-authorization-title">SET SESSION AUTHORIZATION</refentrytitle>
|
|
<refmiscinfo>SQL - Language Statements</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>SET SESSION AUTHORIZATION</refname>
|
|
<refpurpose>set the session user identifier and the current user identifier of the current session</refpurpose>
|
|
</refnamediv>
|
|
|
|
<indexterm zone="sql-set-session-authorization">
|
|
<primary>SET SESSION AUTHORIZATION</primary>
|
|
</indexterm>
|
|
|
|
<refsynopsisdiv>
|
|
<synopsis>
|
|
SET [ SESSION | LOCAL ] SESSION AUTHORIZATION <replaceable class="parameter">username</replaceable>
|
|
SET [ SESSION | LOCAL ] SESSION AUTHORIZATION DEFAULT
|
|
RESET SESSION AUTHORIZATION
|
|
</synopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>
|
|
This command sets the session user identifier and the current user
|
|
identifier of the current SQL session to be <replaceable
|
|
class="parameter">username</replaceable>. The user name can be
|
|
written as either an identifier or a string literal. Using this
|
|
command, it is possible, for example, to temporarily become an
|
|
unprivileged user and later switch back to being a superuser.
|
|
</para>
|
|
|
|
<para>
|
|
The session user identifier is initially set to be the (possibly
|
|
authenticated) user name provided by the client. The current user
|
|
identifier is normally equal to the session user identifier, but
|
|
might change temporarily in the context of <literal>SECURITY DEFINER</>
|
|
functions and similar mechanisms; it can also be changed by
|
|
<xref linkend="sql-set-role" endterm="sql-set-role-title">.
|
|
The current user identifier is relevant for permission checking.
|
|
</para>
|
|
|
|
<para>
|
|
The session user identifier can be changed only if the initial session
|
|
user (the <firstterm>authenticated user</firstterm>) had the
|
|
superuser privilege. Otherwise, the command is accepted only if it
|
|
specifies the authenticated user name.
|
|
</para>
|
|
|
|
<para>
|
|
The <literal>SESSION</> and <literal>LOCAL</> modifiers act the same
|
|
as for the regular <xref linkend="SQL-SET" endterm="SQL-SET-title">
|
|
command.
|
|
</para>
|
|
|
|
<para>
|
|
The <literal>DEFAULT</> and <literal>RESET</> forms reset the session
|
|
and current user identifiers to be the originally authenticated user
|
|
name. These forms can be executed by any user.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Notes</title>
|
|
|
|
<para>
|
|
<command>SET SESSION AUTHORIZATION</> cannot be used within a
|
|
<literal>SECURITY DEFINER</> function.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
|
|
<programlisting>
|
|
SELECT SESSION_USER, CURRENT_USER;
|
|
|
|
session_user | current_user
|
|
--------------+--------------
|
|
peter | peter
|
|
|
|
SET SESSION AUTHORIZATION 'paul';
|
|
|
|
SELECT SESSION_USER, CURRENT_USER;
|
|
|
|
session_user | current_user
|
|
--------------+--------------
|
|
paul | paul
|
|
</programlisting>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Compatibility</title>
|
|
|
|
<para>
|
|
The SQL standard allows some other expressions to appear in place
|
|
of the literal <replaceable>username</replaceable>, but these options
|
|
are not important in practice. <productname>PostgreSQL</productname>
|
|
allows identifier syntax (<literal>"username"</literal>), which SQL
|
|
does not. SQL does not allow this command during a transaction;
|
|
<productname>PostgreSQL</productname> does not make this
|
|
restriction because there is no reason to.
|
|
The <literal>SESSION</> and <literal>LOCAL</> modifiers are a
|
|
<productname>PostgreSQL</productname> extension, as is the
|
|
<literal>RESET</> syntax.
|
|
</para>
|
|
|
|
<para>
|
|
The privileges necessary to execute this command are left
|
|
implementation-defined by the standard.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
|
|
<simplelist type="inline">
|
|
<member><xref linkend="sql-set-role" endterm="sql-set-role-title"></member>
|
|
</simplelist>
|
|
</refsect1>
|
|
</refentry>
|