From edf80895f6bda824403f843df91cbc83890e4b6c Mon Sep 17 00:00:00 2001
From: Noah Misch <noah@leadboat.com>
Date: Fri, 15 Nov 2024 20:39:56 -0800
Subject: Fix per-session activation of ALTER {ROLE|DATABASE} SET role.

After commit 5a2fed911a85ed6d8a015a6bafe3a0d9a69334ae, the catalog state
resulting from these commands ceased to affect sessions.  Restore the
longstanding behavior, which is like beginning the session with a SET
ROLE command.  If cherry-picking the CVE-2024-10978 fixes, default to
including this, too.  (This fixes an unintended side effect of fixing
CVE-2024-10978.)  Back-patch to v12, like that commit.  The release team
decided to include v12, despite the original intent to halt v12 commits
earlier this week.

Tom Lane and Noah Misch.  Reported by Etienne LAFARGE.

Discussion: https://postgr.es/m/CADOZwSb0UsEr4_UTFXC5k7=fyyK8uKXekucd+-uuGjJsGBfxgw@mail.gmail.com
---
 src/backend/utils/misc/guc.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'src/backend/utils/misc/guc.c')

diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 79599a2c10f..b733e692de8 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -8287,6 +8287,12 @@ set_config_option_ext(const char *name, const char *value,
 					 * expect that if "role" isn't supposed to be default, it
 					 * has been or will be set by a separate reload action.
 					 *
+					 * Also, for the call from InitializeSessionUserId with
+					 * source == PGC_S_OVERRIDE, use PGC_S_DYNAMIC_DEFAULT for
+					 * "role"'s source, so that it's still possible to set
+					 * "role" from pg_db_role_setting entries.  (See notes in
+					 * InitializeSessionUserId before changing this.)
+					 *
 					 * A fine point: for RESET session_authorization, we do
 					 * "RESET role" not "SET ROLE NONE" (by passing down NULL
 					 * rather than "none" for the value).  This would have the
@@ -8299,7 +8305,9 @@ set_config_option_ext(const char *name, const char *value,
 						(void) set_config_option_ext("role",
 													 value ? "none" : NULL,
 													 orig_context,
-													 orig_source,
+													  (orig_source == PGC_S_OVERRIDE)
+													  ? PGC_S_DYNAMIC_DEFAULT
+													  : orig_source,
 													 orig_srole,
 													 action,
 													 true,
-- 
cgit v1.2.3