On 05/17/2015 07:39 PM, Tom Lane wrote:
> José Luis Tallón <jltallon@adv-solutions.net> writes:
>> On the other hand, ISTM that what we all intend to achieve is some
>> Postgres equivalent of the SUID bit... so why not just do something
>> equivalent?
>> -------
>> LOGIN -- as user with the appropriate role membership / privilege?
>> ...
>> SET ROLE / SET SESSION AUTHORIZATION WITH COOKIE / IMPERSONATE
>> ... do whatever ... -- unprivileged user can NOT do the
>> "impersonate" thing
>> DISCARD ALL -- implicitly restore previous authz
>> -------
> Oh? What stops the unprivileged user from doing DISCARD ALL?
Indeed. The pooler would need to block this.
Or we would need to invent another (this time, privileged) verb in order
to restore authz.
> I think if we have something like this, it has to be non-resettable
> period: you can't get back the old session ID except by reconnecting
> and re-authorizing. Otherwise there's just too much risk of security
> holes.
Yes.
Thank you for your feedback, Tom.
/ J.L.