Re: Preventing non-superusers from altering session authorization

Joseph Koshakow <koshy44@gmail.com>

From: Joseph Koshakow <koshy44@gmail.com>
To: Nathan Bossart <nathandbossart@gmail.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2023-06-22T22:39:45Z
Lists: pgsql-hackers

Attachments

On Wed, Jun 21, 2023 at 11:48 PM Nathan Bossart <nathandbossart@gmail.com>
wrote:
>
>    On Wed, Jun 21, 2023 at 04:28:43PM -0400, Joseph Koshakow wrote:
>    > +     roleTup = SearchSysCache1(AUTHOID,
ObjectIdGetDatum(AuthenticatedUserId));
>    > +     if (!HeapTupleIsValid(roleTup))
>    > +             ereport(FATAL,
>    > +
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
>    > +                                             errmsg("role with OID
%u does not exist", AuthenticatedUserId)));
>    > +     rform = (Form_pg_authid) GETSTRUCT(roleTup);
>
>    I think "superuser_arg(AuthenticatedUserId)" would work here.

Yep, that worked. I've attached a patch with this change.

> I see that RESET SESSION AUTHORIZATION
> with a concurrently dropped role will FATAL with your patch but succeed
> without it, which could be part of the reason.

That might be a good change? If the original authenticated role ID no
longer exists then we may want to return an error when trying to set
your session authorization to that role.

Thanks,
Joe Koshakow

Commits

  1. Fix privilege check for SET SESSION AUTHORIZATION.

  2. Move privilege check for SET SESSION AUTHORIZATION.

  3. Rename session_auth_is_superuser to current_role_is_superuser.