noset
noset
pg_noset : Module for blocking SET variables for non-super users.
Overview
| ID | Extension | Package | Version | Category | License | Language |
|---|---|---|---|---|---|---|
| 7420 | noset | pg_noset | 0.3.0 | SEC | AGPL-3.0 | C |
| Attribute | Has Binary | Has Library | Need Load | Has DDL | Relocatable | Trusted |
|---|---|---|---|---|---|---|
--sLd-r | No | Yes | Yes | Yes | yes | no |
| Relationships | |
|---|---|
| See Also | pg_readonly pg_permissions set_user pgaudit login_hook sepgsql safeupdate credcheck |
Packages
| Type | Repo | Version | PG Major Compatibility | Package Pattern | Dependencies |
|---|---|---|---|---|---|
| EXT | PIGSTY | 0.3.0 | 18 17 16 15 14 | pg_noset | - |
| RPM | PIGSTY | 0.3.0 | 18 17 16 15 14 | noset_$v | - |
| DEB | PIGSTY | 0.3.0 | 18 17 16 15 14 | postgresql-$v-noset | - |
| Linux / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
el8.x86_64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
el8.aarch64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
el9.x86_64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
el9.aarch64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
el10.x86_64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
el10.aarch64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
d12.x86_64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
d12.aarch64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
d13.x86_64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
d13.aarch64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
u22.x86_64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
u22.aarch64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
u24.x86_64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
u24.aarch64 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 | PIGSTY 0.3.0 |
Source
pig build pkg pg_noset; # build rpm/debInstall
Make sure PGDG and PIGSTY repo available:
pig repo add pgsql -u # add both repo and update cacheInstall this extension with pig:
pig install pg_noset; # install via package name, for the active PG version
pig install noset; # install by extension name, for the current active PG version
pig install noset -v 18; # install for PG 18
pig install noset -v 17; # install for PG 17
pig install noset -v 16; # install for PG 16
pig install noset -v 15; # install for PG 15
pig install noset -v 14; # install for PG 14Config this extension to shared_preload_libraries:
shared_preload_libraries = 'noset';Create this extension with:
CREATE EXTENSION noset;Usage
noset: Prevent users from changing session parameters via SET/RESET
noset is a loadable module that prevents specific users from using SET or RESET commands to change session parameters.
CREATE EXTENSION noset;Configuration
Add to postgresql.conf:
shared_preload_libraries = 'noset'GUC Parameters
| Parameter | Default | Description |
|---|---|---|
noset.enabled | false | Enable SET/RESET blocking for the role |
noset.parameters | * | Parameters to block (comma-separated, * = all) |
Setting Up Per-User Restrictions
-- Block ALL SET/RESET for a user
ALTER USER appuser SET noset.enabled = true;
-- Block only specific parameters
ALTER USER appuser SET noset.enabled = true;
ALTER USER appuser SET noset.parameters = 'work_mem,jit';Example
-- As appuser:
SET work_mem = '1GB';
-- ERROR: permission denied to set/reset parameter 'set work_mem = '1GB';'
SET maintenance_work_mem = '1GB';
-- SET (allowed, not in blocked list)Finding Restricted Users
SELECT usename, useconfig FROM pg_user
WHERE useconfig IS NOT NULL
AND array['noset.enabled=on'] <@ useconfig;Notes
- Does not apply to superusers
- The extension revokes access to the
set_configfunction from PUBLIC
Last updated on