Participants
VO Ipfix
VO Ipfix
Luca Ferrari
Luca Ferrari
Steven Winfield
Steven Winfield
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1VO IpfixVO Ipfix
Aug 06, 2019
#2Luca FerrariLuca Ferrarito VO Ipfix (#1)
Aug 06, 2019
#3Steven WinfieldSteven Winfieldto VO Ipfix (#1)
Aug 06, 2019
#4Tom LaneTom Laneto VO Ipfix (#1)
Aug 06, 2019

Preventing in-session 'set role' commands

Started by VO Ipfixover 6 years ago4 messagesgeneral
Jump to latest
#1VO Ipfix
VO Ipfix
ipfix5101@gmail.com

Hello everyone! I am working on a multi-tenant (sigh) DB design using
schemas. I anticipate a bunch of junior developers coming in before we
fully mature our testing process, so SQLi is a concern. Basically, I want
to have a role for each tenant, and have a user/role that will est. a DB
session from a connection pool then perform a set role followed by a set
schema to the schema that the tenant role has grants to. So, my main
requirement is this: after these two (or more) commands are invoked, the
current role should not be able to do a set role to any other role (tenant)
other than itself. This is to prevent an attacker-controlled SQL query that
has set role as part of its payload.Is this something that can be
accomplished with PostgreSQL? Any suggestions thoughts are welcome, however
tangential

#2Luca Ferrari
Luca Ferrari
fluca1978@gmail.com
In reply to: VO Ipfix (#1)
Re: Preventing in-session 'set role' commands

On Tue, Aug 6, 2019 at 10:26 AM VO Ipfix <ipfix5101@gmail.com> wrote:

Is this something that can be accomplished with PostgreSQL? Any suggestions thoughts are welcome, however tangential

Perhaps SET SESSION AUTHORIZATION?
<https://www.postgresql.org/docs/11/sql-set-session-authorization.html&gt;

Luca

#3Steven Winfield
Steven Winfield
Steven.Winfield@cantabcapital.com
In reply to: VO Ipfix (#1)
RE: Preventing in-session 'set role' commands

Maybe check out the set_user extension:
https://github.com/pgaudit/set_user

Steve.

#4Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: VO Ipfix (#1)
Re: Preventing in-session 'set role' commands

VO Ipfix <ipfix5101@gmail.com> writes:

Hello everyone! I am working on a multi-tenant (sigh) DB design using
schemas. I anticipate a bunch of junior developers coming in before we
fully mature our testing process, so SQLi is a concern. Basically, I want
to have a role for each tenant, and have a user/role that will est. a DB
session from a connection pool then perform a set role followed by a set
schema to the schema that the tenant role has grants to. So, my main
requirement is this: after these two (or more) commands are invoked, the
current role should not be able to do a set role to any other role (tenant)
other than itself. This is to prevent an attacker-controlled SQL query that
has set role as part of its payload.Is this something that can be
accomplished with PostgreSQL?

There's nothing built-in for that, but probably an event trigger could
be written to implement such a restriction.

As noted by another respondent, SET SESSION AUTHORIZATION might be a
better fit to your goals than SET ROLE. (I don't recall the exact
distinction between them -- ENOCAFFEINE -- but I think the former
gives up more privilege than the latter.) You'd still need a trigger.

regards, tom lane

← Back to Topics