Re: Preventing non-superusers from altering session authorization
| От | Joseph Koshakow |
|---|---|
| Тема | Re: Preventing non-superusers from altering session authorization |
| Дата | |
| Msg-id | CAAvxfHfq8Dgn1jBR2w+mLBUaPFvDvjavoRkzKBz0ZtJktGFS5A@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Preventing non-superusers from altering session authorization (Joseph Koshakow <koshy44@gmail.com>) |
| Ответы |
Re: Preventing non-superusers from altering session authorization
|
| Список | pgsql-hackers |
On Sun, Jul 9, 2023 at 1:03 PM Joseph Koshakow <koshy44@gmail.com> wrote:
>> * Only a superuser may set auth ID to something other than himself
> Is "auth ID" the right term here? Maybe something like "Only a
> superuser may set their session authorization/ID to something other
> than their authenticated ID."
>> But we set the GUC variable
>> * is_superuser to indicate whether the *current* session userid is a
>> * superuser.
> Just a small correction here, I believe the is_superuser GUC is meant
> to indicate whether the current user id is a superuser, not the current
> session user id. We only update is_superuser in SetSessionAuthorization
> because we are also updating the current user id in SetSessionUserId.
I just realized that you moved this comment from
SetSessionAuthorization. I think we should leave the part about setting
the GUC variable is_superuser on top of SetSessionAuthorization since
that's where we actually set the GUC.
Thanks,
Joe Koshakow
>> * Only a superuser may set auth ID to something other than himself
> Is "auth ID" the right term here? Maybe something like "Only a
> superuser may set their session authorization/ID to something other
> than their authenticated ID."
>> But we set the GUC variable
>> * is_superuser to indicate whether the *current* session userid is a
>> * superuser.
> Just a small correction here, I believe the is_superuser GUC is meant
> to indicate whether the current user id is a superuser, not the current
> session user id. We only update is_superuser in SetSessionAuthorization
> because we are also updating the current user id in SetSessionUserId.
I just realized that you moved this comment from
SetSessionAuthorization. I think we should leave the part about setting
the GUC variable is_superuser on top of SetSessionAuthorization since
that's where we actually set the GUC.
Thanks,
Joe Koshakow
В списке pgsql-hackers по дате отправления: