dest_role_whitelist was renamed to now nosuperuser_target_whitelist (…

…GUC) -or- NOSU_TargetWhitelist (C)

README.md

@@ -68,14 +68,13 @@ Specifically, when an allowed user executes `set_user('rolename')` or
 * [Post-execution hook](#post_set_user_hook)  for `set_user` is called if it is set.
 
 Only users with `EXECUTE` permission on `set_user_u('rolename')` may escalate to
-superuser. Additionally, all rules in [whitelist](#whitelist-rules-and-logic)
-apply to `set_user.superuser_whitelist` and `set_user_u('rolename')` with respect
-to the `rolename` argument.
+superuser. Additionally, all rules in [Superuser Whitelist](#superuser-whitelist-rules-and-logic)
+apply to `set_user.superuser_whitelist` and `set_user_u('rolename')`.
 
 User's calling `set_user('rolename')` can only transition to roles listed or
 included in `set_user.dest_role_whitelist` (defaults to all roles). Additionally
-the [Whitelist logic](#whitelist-rules-and-logic) applies to `current_user` when
-`set_user()` is invoked.
+the logic in [Nosuperuser Whitelist](#nosuperuser-target-whitelist-rules-and-logic)
+applies to `current_user` when `set_user()` is invoked.
 
 Additionally, with `set_user('rolename','token')` the `token` is stored for the
 lifetime of the session.
@@ -140,10 +139,8 @@ Alternatively, transitions can be made to superusers through use of
 SELECT set_user_u('postgres');
 ```
 
-**Note:** Superuser escalation is only allowed for the roles listed in
-`set_user.superuser_whitelist`. If the whitelist is equal to `'*'`, all roles
-that have been granted `EXECUTE` on `set_user_u` can escalate to superuser.
-This is the default setting of `set_user.superuser_whitelist`.
+**Note:** See rules in [Superuser Whitelist](#superuser-whitelist-rules-and-logic)
+for logic around calling set_user_u. See 
 
 Once one or more unprivileged users are able to run `set_user_u()` in order to
 escalate their privileges, the superuser account (typically `postgres`) can be
@@ -155,14 +152,42 @@ to ensure there are no other PostgreSQL roles existing which are both superuser
 and can log in. Additionally there must be no unprivileged PostgreSQL roles
 which have been granted access to one of the existing superuser roles.
 
-#### Whitelist rules and logic
-
-For configuration options that end in `_whitelist` the following logic applies.
-
-* only roles explicitly listed or included by a group that is explicitly
-  listed (e.g. `'+admin'`) are allowed
-* if the whitelist is set to the empty set `''` all roles are denied
-* the default is `'*'` which means all roles are allowed
+#### Superuser Whitelist Rules and Logic
+
+The following rules govern escalation to superuser via the set_user_u('rolename')
+function:
+
+* current_user must be GRANTed EXECUTE ON FUNCTION set_user_u('rolename') OR
+  current_user must be the OWNER of the set_user_u function OR current_user must
+  be a superuser.
+* current_user must be listed in set_user.superuser_whitelist OR current_user
+  must belong to a group that is listed in set_user.superuser_whitelist
+  (e.g. '+admin')
+* If set_user.superuser_whitelist is the empty set , '', superuser escalation is
+  blocked for all users.
+* If set_user.superuser_whitelist is the wildcard character, '*', all users
+  with EXECUTE permission on set_user_u('rolename') can escalate to superuser.
+* If set_user.superuser_whitelist is not specified, the value defaults to the
+  wildcard character, '*'.
+
+#### Nosuperuser Target Whitelist Rules and Logic
+
+The following rules govern non-superuser role transitions through use of the
+  set_user('rolename') function:
+
+* current_user must be GRANTed EXECUTE ON FUNCTION set_user('rolename') OR
+  current_user must be the OWNER of the set_user function OR current_user must
+  be a superuser.
+* The destination rolename must be listed in set_user.nosuperuser_target_whitelist
+  OR the destination rolename must belong to a group that is listed in
+  set_user.nosuperuser_target_whitelist (e.g. '+client')
+* If set_user.dest_role_whitelist is the empty set , '', set_user transitioning
+  to non-superusers is blocked for all users.
+* If set_user.dest_role_whitelist is the wildcard character, '*', all users
+  with EXECUTE permission on set_user('rolename') can transition to any other
+  non-superuser role.
+* If set_user.dest_user_whitelist is not specified, the value defaults to the
+  wildcard character, '*'.
 
 #### Perform Actions With Enhanced Logging
 

set_user.c

@@ -128,7 +128,7 @@ static bool Block_CP = false;
 
 static bool Block_LS = false;
 static char *SU_Whitelist = NULL;
-static char *Dest_role_whitelist = NULL;
+static char *NOSU_TargetWhitelist = NULL;
 static char *SU_AuditTag = NULL;
 
 #ifdef HAS_TWO_ARG_GETUSERNAMEFROMID
@@ -349,11 +349,12 @@ set_user(PG_FUNCTION_ARGS)
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("switching to superuser not allowed"),
 						 errhint("Add current user to set_user.superuser_whitelist.")));
-		} else if(!check_user_whitelist(NewUserId, Dest_role_whitelist))
+		}
+			else if(!check_user_whitelist(NewUserId, NOSU_TargetWhitelist))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("switching to role is not allowed"),
-						 errhint("Add the role to set_user.dest_role_whitelist.")));
+						 errhint("Add the role to set_user.nosuperuser_target_whitelist.")));
 
 		/* keep track of original userid and value of log_statement */
 		save_OldUserId = OldUserId;
@@ -472,9 +473,9 @@ _PG_init(void)
 							 NULL, &Block_LS, true, PGC_SIGHUP,
 							 0, NULL, NULL, NULL);
 
-	DefineCustomStringVariable("set_user.dest_role_whitelist",
+	DefineCustomStringVariable("set_user.nosuperuser_target_whitelist",
 							 "List of roles that can be an argument to set_user",
-							 NULL, &Dest_role_whitelist, WHITELIST_WILDCARD, PGC_SIGHUP,
+							 NULL, &NOSU_TargetWhitelist, WHITELIST_WILDCARD, PGC_SIGHUP,
 							 0, NULL, NULL, NULL);
 
 	DefineCustomStringVariable("set_user.superuser_whitelist",