Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm pretty sure it's not possible to prevent a role from setting session parameters.

I believe it is not possible to SET ROLE or SET SESSION AUTHORIZATION with code executed within a SECURITY DEFINER function (which is what you're asking to do), though as Tom Lane points out one shouldn't rely on that:

http://www.postgresql.org/message-id/10703.1417480773@sss.pg...

Given arbitrary SQLi, it's hard to see how one can do better than setting up an untrusted sandbox like that and executing your untrusted SQL there, but being able to prevent setting a session parameter would still be useful within that context.



I was hoping for something like mssql's "EXECUTE AS... NO REVERT" where reverting back to the previous role can be prevented.


Or in UNIX terms, this is simply "sudo -u". Seems like something that would be pretty useful.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: