Re: Can db user change own password?

On 10/21/21 09:53, Tom Lane wrote:
> Adrian Klaver <adrian.klaver@aklaver.com> writes:

> It's fairly obvious what's happening here: psql sends ALTER USER xxx
> PASSWORD ..., where it gets xxx from PQuser(), so that is the role name
> that was logged in with.  There are any number of reasons why that might
> not be the currently active role.
> 
> The psql man page says
> 
>      \password [ username ]
>          Changes the password of the specified user (by default, the
>          current user).
> 
> So I'd say this is not doing what the documentation says.

Oops. That is where I got hung up.

> 
> With server versions >= 9.5 we could dodge the issue by sending
> ALTER USER CURRENT_USER PASSWORD ....  For older servers,
> I suppose we could do "SELECT CURRENT_USER" first.
> 
> I'm not sure if we want to change a security-relevant behavior
> in released branches.  But if we don't, we probably need to
> change the docs to something like "(by default, the logged-in
> user)".

I would suggest session(_)user to make it match with the rest of 
documentation.

> 
>             regards, tom lane
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com