Only force log_statement to all when block_log_statement is true

*and* the rolename being escalated to is a superuser. Update the docs to match.
pgaudit · Jul 14, 2017 · 0c78666 · 0c78666
1 parent eb891a7
commit 0c78666
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -26,17 +26,16 @@ reset_user(text token) returns text
 
 ## Description
 
-This PostgreSQL extension allows switching users and optionally privilege escalation with enhanced logging and control. It provides an additional layer of logging and control when unprivileged users must escalate themselves to
-superuser or object owner roles in order to perform needed maintenance tasks. Specifically, when an allowed user executes ```set_user('rolename')``` or ```set_user_u('rolename')```, several actions occur:
+This PostgreSQL extension allows switching users and optionally privilege escalation with enhanced logging and control. It provides an additional layer of logging and control when unprivileged users must escalate themselves to superuser or object owner roles in order to perform needed maintenance tasks. Specifically, when an allowed user executes ```set_user('rolename')``` or ```set_user_u('rolename')```, several actions occur:
 
 * The current effective user becomes ```rolename```.
 * The role transition is logged, with specific notation if ```rolename``` is a superuser.
-* log_statement setting is set to "all", meaning every SQL statement executed
   while in this state will also get logged.
 * If set_user.block_alter_system is set to "on", ```ALTER SYSTEM``` commands will be blocked.
 * If set_user.block_copy_program is set to "on", ```COPY PROGRAM``` commands will be blocked.
 * If set_user.block_log_statement is set to "on", ```SET log_statement``` and
   variations will be blocked.
+* If set_user.block_log_statement is set to "on" and ```rolename``` is a database superuser, the current log_statement setting is changed to "all", meaning every SQL statement executed
 
 Only users with EXECUTE permission on ```set_user_u('rolename')``` may escalate to superuser. Additionally, only users explicitly listed in set_user.superuser_whitelist will be able to escalate to superuser. If  set_user.superuser_whitelist is empty, superuser escalation is blocked for all users. If the wildcard character, '*' (default), is in the whitelist, all users with EXECUTE permission on ```set_user_u()``` will be permitted to escalate to superuser.
 

diff --git a/set_user.c b/set_user.c
@@ -312,8 +312,13 @@ set_user(PG_FUNCTION_ARGS)
 													 false, false));
 		MemoryContextSwitchTo(oldcontext);
 
-		/* force logging of everything if block_log_statement is true */
-		if (Block_LS)
+		/*
+		 * Force logging of everything if block_log_statement is true
+		 * and we are escalating to superuser. If not escalating to superuser
+		 * the caller could always set log_statement to all prior to using
+		 * set_user, and ensure Block_LS is true.
+		 */
+		if (NewUser_is_superuser && Block_LS)
 			SetConfigOption("log_statement", "all", PGC_SUSET, PGC_S_SESSION);
 	}
 	else if (is_reset)