From 0c786661cfd4d33ce80dac66606f47da8cf31baf Mon Sep 17 00:00:00 2001 From: Joe Conway Date: Fri, 14 Jul 2017 16:56:49 -0400 Subject: [PATCH] Only force log_statement to all when block_log_statement is true *and* the rolename being escalated to is a superuser. Update the docs to match. --- README.md | 5 ++--- set_user.c | 9 +++++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7b794db..4a75828 100644 --- a/README.md +++ b/README.md @@ -26,17 +26,16 @@ reset_user(text token) returns text ## Description -This PostgreSQL extension allows switching users and optionally privilege escalation with enhanced logging and control. It provides an additional layer of logging and control when unprivileged users must escalate themselves to -superuser or object owner roles in order to perform needed maintenance tasks. Specifically, when an allowed user executes ```set_user('rolename')``` or ```set_user_u('rolename')```, several actions occur: +This PostgreSQL extension allows switching users and optionally privilege escalation with enhanced logging and control. It provides an additional layer of logging and control when unprivileged users must escalate themselves to superuser or object owner roles in order to perform needed maintenance tasks. Specifically, when an allowed user executes ```set_user('rolename')``` or ```set_user_u('rolename')```, several actions occur: * The current effective user becomes ```rolename```. * The role transition is logged, with specific notation if ```rolename``` is a superuser. -* log_statement setting is set to "all", meaning every SQL statement executed while in this state will also get logged. * If set_user.block_alter_system is set to "on", ```ALTER SYSTEM``` commands will be blocked. * If set_user.block_copy_program is set to "on", ```COPY PROGRAM``` commands will be blocked. * If set_user.block_log_statement is set to "on", ```SET log_statement``` and variations will be blocked. +* If set_user.block_log_statement is set to "on" and ```rolename``` is a database superuser, the current log_statement setting is changed to "all", meaning every SQL statement executed Only users with EXECUTE permission on ```set_user_u('rolename')``` may escalate to superuser. Additionally, only users explicitly listed in set_user.superuser_whitelist will be able to escalate to superuser. If set_user.superuser_whitelist is empty, superuser escalation is blocked for all users. If the wildcard character, '*' (default), is in the whitelist, all users with EXECUTE permission on ```set_user_u()``` will be permitted to escalate to superuser. diff --git a/set_user.c b/set_user.c index 62b73c9..8088de4 100644 --- a/set_user.c +++ b/set_user.c @@ -312,8 +312,13 @@ set_user(PG_FUNCTION_ARGS) false, false)); MemoryContextSwitchTo(oldcontext); - /* force logging of everything if block_log_statement is true */ - if (Block_LS) + /* + * Force logging of everything if block_log_statement is true + * and we are escalating to superuser. If not escalating to superuser + * the caller could always set log_statement to all prior to using + * set_user, and ensure Block_LS is true. + */ + if (NewUser_is_superuser && Block_LS) SetConfigOption("log_statement", "all", PGC_SUSET, PGC_S_SESSION); } else if (is_reset)