Preventing non-superusers from altering session authorization
Joseph Koshakow <koshy44@gmail.com>
From: Joseph Koshakow <koshy44@gmail.com>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2023-06-21T20:28:43Z
Lists: pgsql-hackers
Attachments
- v1-0001-Prevent-non-superusers-from-altering-session-auth.patch (text/x-patch) patch v1-0001
Hi all, I briefly mentioned this issue in another mailing thread [0]. Currently, a user is allowed to execute SET SESSION AUTHORIZATION [1] if the role they connected to PostgreSQL with was a superuser at the time of connection. Even if the role is later altered to no longer be a superuser, the session can still execute SET SESSION AUTHORIZATION, as long as the session isn't disconnected. As a consequence, if that role is altered to no longer be a superuser, then the user can use SET SESSION AUTHORIZATION to switch to another role that is a superuser and regain superuser privileges. They can even re-grant themselves the superuser attribute. It is possible that the user had already run SET SESSION AUTHORIZATION to set their session to a superuser before their connecting role lost the superuser attribute. In this case there's not much we can do. Also, from looking at the code and documentation, it looks like SET SESSION AUTHORIZATION works this way intentionally. However, I'm unable to figure out why we'd want it to work this way. I've attached a patch that would fix this issue by checking the catalog to see if the connecting role is currently a superuser every time SET SESSION AUTHORIZATION is run. However, according to the comment I deleted there's something invalid about reading the catalog from that function, though I wasn't able to understand it fully. One downside is that if a user switches their session authorization to some role, then loses the superuser attribute on their connecting role, they may be stuck in a that role with no way to reset their session authorization without disconnecting and reconnecting. Thanks, Joe Koshakow [0] https://www.postgresql.org/message-id/CAAvxfHco7iGw4NarymhfLWN6PjzYRrbYFt2BnSFeSD5sFzqEJQ%40mail.gmail.com [1] https://www.postgresql.org/docs/15/sql-set-session-authorization.html
Commits
-
Fix privilege check for SET SESSION AUTHORIZATION.
- a0363ab7aafd 17.0 landed
-
Move privilege check for SET SESSION AUTHORIZATION.
- 9987a7bf3406 17.0 landed
-
Rename session_auth_is_superuser to current_role_is_superuser.
- 0fef87753828 17.0 landed