On Fri, Nov 22, 2024 at 6:57 AM <walt...@technowledgy.de> wrote:

> Yeah, this is still on my list of things to research more about
> eventually - currently still unsolved.
>
> For my use-case the NO RESET would need to apply until the end of the
> transaction, not end of the session.
>
> I imagine something like an extension, that would:
> - block any SET SESSION ROLE
> - block any RESET ROLE
> - only allow SET LOCAL ROLE when CURRENT_USER has the right to do so
>
> Then the effect of SET LOCAL ROLE would still be reversed at the end of
> the transaction, but you could never "escape" a SET LOCAL ROLE that was
> set earlier.


As things are now, would someone be able to do a RESET ROLE if *any*
code/function had a SQL injection vulnerability, or only if there was one
in the pooler?  Or (ideally) neither.  That's what a NO RESET option (or
some similar functionality) would provide with certainty.

I found this extension:

https://github.com/pgaudit/set_user

but haven't used it.  Seems to address this though, they introduce a
set_session_auth(token) function and then reset_role requires the token if
session_auth has been set.

Thanks,
Eric

Reply via email to