On Mon, 27 Jan 2003, Shridhar Daithankar wrote: > I went thr http://candle.pha.pa.us/main/writings/pgsql/sgml/sql-set-session- > authorization.html to get what it is. I didn't have an idea of such thing. > > Back to the topic, yes, pretty much except for few differences. > > 1) It says 'The session user identifier may be changed only if the initial > session user (the authenticated user) had the superuser privilege. Otherwise, > the command is accepted only if it specifies the authenticated user name.' > > That mean an ordinary user can not set session to any other authorised user. It > is like running setuid program with input accessible to any user. > > 2) Where do I specify password? I mean I take a password and start a connection > to database. But when it comes to switching connection, there is no password. > Probably because only superuser can switch connection? > > If there is a password clause there and if any user can switch to any user, > then it is the thing I am looking for. Probably even excluding switching to > superuser as a security measure.
I need this feature also. The problem with set session authorization is that you can always change back so it's not that secure. Actually I wanted to have a function that could augment the privileges of user if supplied the right password, which in turn had nothing to do with original password. I believe it could be easy to implement such a function in C. But it could be better and easier to have pl/pgsql function that could set the session authorization. So, could it be made possible that pl/pgsql functions created by superuser could "set session authorization" even when not called by superuser (or user logged in as superuser)? -- Antti Haapala ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
