Thread: Default session role broken in PostgreSQL 14.14?

Hello,

I noticed a change of behaviour since PostgreSQL 14.14 that is breaking the permissions in my application: it looks like the “ALTER ROLE <role> IN DATABASE <db> SET ROLE <session-role>” is no longer applied when <role> is connecting to the database. For example, I have this setup to create my database and roles:

-- Create my admin group for the new db

CREATE ROLE db1_admin_group;

GRANT db1_admin_group TO postgres;

-- Create the new db

CREATE DATABASE db1 OWNER db1_admin_group;

-- Grant proper permissions to the admin group

GRANT pg_write_all_data, pg_read_all_data TO db1_admin_group;

GRANT CONNECT ON DATABASE db1 TO db1_admin_group;

-- Create a new user in the admin group

CREATE USER admin1 PASSWORD 'admin1pass';

GRANT db1_admin_group TO admin1;

ALTER ROLE admin1 IN DATABASE db1 SET ROLE db1_admin_group;

-- Then connecting on db1, revoke all default permissions

REVOKE ALL ON DATABASE db1 FROM public;

REVOKE ALL ON SCHEMA public FROM public;

This setup ensures me that the database objects are properly created as that db’s admin group without the users needing to remember to run a “SET ROLE db1_admin_group” after establishing a connection to the database.

In versions 14.13 and earlier, admin1 connecting to db1 would get the following:

db1=> select current_user, session_user;

  current_user   | session_user

-----------------+--------------

db1_admin_group | admin1

But with 14.14, I get this result:

db1=> select current_user, session_user;

current_user | session_user

--------------+--------------

admin1       | admin1

I know there was this CVE fixed in the latest release https://www.postgresql.org/support/security/CVE-2024-10978/, could it be related? Is the new behaviour I’m observing expected or is it an issue? If it is expected, is there any other recommended way I could achieve what I’m trying to do?

Thank you!

Max