> On 24 Nov 2025, at 09:15, Calvin Guo <[email protected]> wrote:
>
> I feel that set role logic is kindof misleading.
>
> I am a superuser, admin,
> I do:
> set role usera
> Now I am under the security context of usera, so I think running any sql is
> safe as long as it's allowed by usera.
>
> Which is not the case!
> as usera can do:
> set role userb; other sql,
> or
> reset role; orther sql,
> it turns out it's not safe at all, the sql can easily get access right of the
> super user. it can impernate userb though they do not have any relationship
> whatso ever.
>
> I really feel, once you "set role usera", you should behave like usera, you
> should NOT have the power say: hi, I can assume my super user power whenever
> I want. As this make the "set role usera" pretty much useless.
>
> It's unsafe!
It is a known issue and there were various proposals (need to search
pgsql-hackers list). One of them being “set role” message at the protocol level
(ie. unavailable from SQL). Another being “SET ROLE … PASSWORD …” and “RESET
ROLE PASSWORD …” which would allow resetting the role only when password is
known.
I don’t think any of them gained traction to be honest.
Kind regards,
--
Michal
