On Thu, Aug 12, 2021 at 04:30:12PM -0400, Tom Lane wrote: > Mladen Gogala <gogala.mladen@xxxxxxxxx> writes: > > Unfortunately, only a superuser can set log_statement='all'; Would it be > > possible to execute set session log_statement='all'; as an ordinary > > user? I am trying to execute it from login.sql, a part of login_hook > > extension which implements on-login triggers in PostgreSQL. I will > > create a procedure with security definer, owned by the role "postgres", > > and grant it to public. That should do the trick. However, it would be > > much nicer if PostgreSQL allowed me to set the parameter as a part of > > the normal session. > > If an ordinary user could manipulate that parameter, he could equally > well hide his activities from the system log. Conversely, if the > postmaster log setup is such that not a lot of volume is expected, > then flooding it with extra traffic could create its own set of > problems. Thus, basically all parameters that affect what is logged > are superuser-only, and it'd be a hard sell to weaken that. The > SECURITY DEFINER function approach is your best bet for poking local > exceptions into that policy. The nice thing about SECURITY DEFINER is that the super user controls what values it can be set to. -- Bruce Momjian <bruce@xxxxxxxxxx> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
