security: document SECURITY DEFINER interaction with df.start() and add start_use_session_user GUC#185
Draft
Copilot wants to merge 3 commits into
Draft
security: document SECURITY DEFINER interaction with df.start() and add start_use_session_user GUC#185Copilot wants to merge 3 commits into
Copilot wants to merge 3 commits into
Conversation
…sion_user GUC - Add pg_durable.start_use_session_user GUC (Suset, superuser-only, default off) that captures session_user instead of current_user in df.start(), preventing SECURITY DEFINER wrappers from silently escalating the submitted identity. - Add start_use_session_user() helper in src/types.rs. - Update df.start() in src/dsl.rs to use GetSessionUserId() when GUC is on. - Add prominent SECURITY DEFINER warning section to USER_GUIDE.md with an example, explanation, and three mitigation options. - Add Security Best Practices item #5 for SECURITY DEFINER risk. - Add E2E Test 6c in 13_user_isolation.sql to validate that with the GUC on, a SECURITY DEFINER wrapper captures session_user (not the definer). Co-authored-by: pinodeca <32303022+pinodeca@users.noreply.github.com>
Co-authored-by: pinodeca <32303022+pinodeca@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Document security definer interaction with df.start()
security: document SECURITY DEFINER interaction with df.start() and add start_use_session_user GUC
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
df.start()captures identity viaGetUserId()(current_user). Inside aSECURITY DEFINERfunction,current_useris the function owner, so any SQL in thefutargument executes with the definer's privileges — even when supplied by an unprivileged caller.Changes
src/lib.rs+src/types.rspg_durable.start_use_session_user(bool, defaultoff,Suset/superuser-only, changeable at runtime)start_use_session_user()helper reads the GUCsrc/dsl.rsdf.start()now callsGetSessionUserId()when the GUC ison,GetUserId()otherwise — all downstream identity validation logic is unchangedUSER_GUIDE.mdSECURITY INVOKER)tests/e2e/sql/13_user_isolation.sqlstart_use_session_user = on, calling the sameSECURITY DEFINERwrapper asiso_alicecapturessession_user = iso_alice(not the definerpostgres), and the SQL node fails because alice has no access to the superuser-only tableUsage