Re: Preventing non-superusers from altering session authorization

Joseph Koshakow <koshy44@gmail.com>

From: Joseph Koshakow <koshy44@gmail.com>
To: Nathan Bossart <nathandbossart@gmail.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2023-07-08T23:08:35Z
Lists: pgsql-hackers

Attachments

On Sat, Jul 8, 2023 at 6:09 PM Nathan Bossart <nathandbossart@gmail.com>
wrote:

>> I think the issue here is that if a session loses the ability to set
>> their session authorization in the middle of a transaction, then
>> rolling back the transaction may fail and cause the server to panic.
>> That's probably what the deleted comment mean when it said:
>>
>>> * It's OK because the check does not require catalog access and can't
>>> * fail during an end-of-transaction GUC reversion
>
> Yeah.  IIUC the ERROR longjmps to a block that calls AbortTransaction(),
> which ERRORs again when resetting the session authorization, which causes
> us to call AbortTransaction() again, etc., etc.

Everything seems to work fine if the privilege check is moved to
check_session_authorization. Which is maybe what the comment meant
instead of assign_session_authorization.

I've attached a patch with this change.

Thanks,
Joe Koshakow

Commits

  1. Fix privilege check for SET SESSION AUTHORIZATION.

  2. Move privilege check for SET SESSION AUTHORIZATION.

  3. Rename session_auth_is_superuser to current_role_is_superuser.