Enforce superuser permissions checks during ALTER ROLE/DATABASE SET, rather

than during define_custom_variable(). This entails rejecting an ALTER command if the target variable doesn't have a known (non-placeholder) definition, unless the calling user is superuser. When the variable *is* known, we can correctly apply the rule that only superusers can issue ALTER for SUSET parameters. This allows define_custom_variable to apply ALTER's values for SUSET parameters at module load time, secure in the knowledge that only a superuser could have set the ALTER value. This change fixes a longstanding gotcha in the usage of SUSET-level custom parameters; which is a good thing to fix now that plpgsql defines such a parameter.
author: Tom Lane <tgl@sss.pgh.pa.us> 2010-04-21 20:54:19 +0000
committer: Tom Lane <tgl@sss.pgh.pa.us> 2010-04-21 20:54:19 +0000
commit: a6dcd19a2a5064d753c1d5aa756a2d50cf05842d (patch)
tree: a9c85c845c4ffd7033c3d48f5fcae12c89a4f070 /doc/src
parent: f6e092701c6ac7bb98ed88a769daa13d3a1755d9 (diff)
1 files changed, 27 insertions, 22 deletions
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
index 3a2504cd0a0..dfd7b7c405c 100644
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/alter_role.sgml,v 1.16 2010/04/03 07:22:57 petere Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/alter_role.sgml,v 1.17 2010/04/21 20:54:19 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -24,7 +24,7 @@ PostgreSQL documentation
 ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replaceable class="PARAMETER">option</replaceable> [ ... ] ]
 
 <phrase>where <replaceable class="PARAMETER">option</replaceable> can be:</phrase>
-    
+
       SUPERUSER | NOSUPERUSER
     | CREATEDB | NOCREATEDB
     | CREATEROLE | NOCREATEROLE
@@ -33,7 +33,7 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replace
     | LOGIN | NOLOGIN
     | CONNECTION LIMIT <replaceable class="PARAMETER">connlimit</replaceable>
     | [ ENCRYPTED | UNENCRYPTED ] PASSWORD '<replaceable class="PARAMETER">password</replaceable>'
-    | VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>' 
+    | VALID UNTIL '<replaceable class="PARAMETER">timestamp</replaceable>'
 
 ALTER ROLE <replaceable class="PARAMETER">name</replaceable> RENAME TO <replaceable>new_name</replaceable>
 
@@ -54,7 +54,7 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ IN DATABASE <repl
 
   <para>
    The first variant of this command listed in the synopsis can change
-   many of the role attributes that can be specified in 
+   many of the role attributes that can be specified in
    <xref linkend="sql-createrole">.
    (All the possible attributes are covered,
    except that there are no options for adding or removing memberships; use
@@ -79,20 +79,24 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ IN DATABASE <repl
    password is <literal>MD5</>-encrypted.
   </para>
 
-  <para> 
-   The remaining variants change a role's session default for a configuration variable 
-   for all databases or, when the <literal>IN DATABASE</literal> clause is specified,
-   for the named database. Whenever the role subsequently
+  <para>
+   The remaining variants change a role's session default for a configuration
+   variable, either for all databases or, when the <literal>IN
+   DATABASE</literal> clause is specified, only for sessions in
+   the named database. Whenever the role subsequently
    starts a new session, the specified value becomes the session
    default, overriding whatever setting is present in
    <filename>postgresql.conf</> or has been received from the postgres
-   command line. This only happens at login time, so configuration
-   settings associated with a role to which you've <xref
-   linkend="sql-set-role"> will be ignored. Settings set to
-   a role directly are overridden by any database specific settings attached to a role.
+   command line. This only happens at login time; executing
+   <xref linkend="sql-set-role"> or
+   <xref linkend="sql-set-session-authorization"> does not cause new
+   configuration values to be set.
+   Settings set for all databases are overridden by database-specific settings
+   attached to a role.
    Superusers can change anyone's session defaults. Roles having
    <literal>CREATEROLE</> privilege can change defaults for non-superuser
-   roles. Certain variables cannot be set this way, or can only be
+   roles. Ordinary roles can only set defaults for themselves.
+   Certain configuration variables cannot be set this way, or can only be
    set if a superuser issues the command.
   </para>
  </refsect1>
@@ -169,14 +173,15 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ IN DATABASE <repl
         <literal>RESET ALL</literal> to clear all role-specific settings.
         <literal>SET FROM CURRENT</> saves the session's current value of
         the parameter as the role-specific value.
-        If used in conjunction with <literal>IN DATABASE</literal>, the configuration
+        If <literal>IN DATABASE</literal> is specified, the configuration
         parameter is set or removed for the given role and database only.
        </para>
 
        <para>
-        Role-specific variable setting take effect only at login;
-        <xref linkend="sql-set-role">
-        does not process role-specific variable settings.
+        Role-specific variable settings take effect only at login;
+        <xref linkend="sql-set-role"> and
+        <xref linkend="sql-set-session-authorization">
+        do not process role-specific variable settings.
        </para>
 
        <para>
@@ -210,8 +215,8 @@ ALTER ROLE <replaceable class="PARAMETER">name</replaceable> [ IN DATABASE <repl
    in cleartext, and it might also be logged in the client's command
    history or the server log.  <xref linkend="app-psql">
    contains a command
-   <command>\password</command> that can be used to safely change a
-   role's password.
+   <command>\password</command> that can be used to change a
+   role's password without exposing the cleartext password.
   </para>
 
   <para>
@@ -276,8 +281,8 @@ ALTER ROLE worker_bee SET maintenance_work_mem = 100000;
   </para>
 
   <para>
-    Give a role a non-default, database-specific setting of the 
-  <xref linkend="guc-client-min-messages"> parameter:
+   Give a role a non-default, database-specific setting of the
+   <xref linkend="guc-client-min-messages"> parameter:
 
 <programlisting>
 ALTER ROLE fred IN DATABASE devel SET client_min_messages = DEBUG;
@@ -287,7 +292,7 @@ ALTER ROLE fred IN DATABASE devel SET client_min_messages = DEBUG;
 
  <refsect1>
   <title>Compatibility</title>
-    
+
   <para>
    The <command>ALTER ROLE</command> statement is a
    <productname>PostgreSQL</productname> extension.
author	Tom Lane <tgl@sss.pgh.pa.us>	2010-04-21 20:54:19 +0000
committer	Tom Lane <tgl@sss.pgh.pa.us>	2010-04-21 20:54:19 +0000
commit	a6dcd19a2a5064d753c1d5aa756a2d50cf05842d (patch)
tree	a9c85c845c4ffd7033c3d48f5fcae12c89a4f070 /doc/src
parent	f6e092701c6ac7bb98ed88a769daa13d3a1755d9 (diff)