forked from pgaudit/set_user
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added whitelist for set_user() target
The guc variable `set_user.nosuperuser_target_whitelist can be used to limit the roles that any user can become when given access to execute set_user(). Previously, anyone with access to call set_user() could become any user that was not a superuser. This allowed for bypassing some security features by becoming the owner of an object. With the addition of a whitelist around the allowed target roles to set_user() the scope of set_user can be limited to an approved list. With the default of set_user.nosuperuser_target_whitelist being '*' this change is backwards compatible and can be installed on existing configurations, without reconfiguring. This has no effect on the current superuser_whitelist. As it is only called on when the target role is not a superuser. Discussion in: pgaudit#18
- Loading branch information
Showing
2 changed files
with
65 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters