Allow no password policy checks at all for changes done by a superuser

darold · darold · commit 9a29ff450ea1 · 2026-02-28T17:20:12.000+07:00
enabling new GUC credcheck.superuser_nocheck. Thanks to Jacute for the
feature request.
diff --git a/README.md b/README.md
@@ -102,7 +102,9 @@ There is also the `credcheck.whitelist` GUC that can be used to set a comma sepa
 ```
 credcheck.whitelist = 'admin,supuser'
 ```
-will disable any credcheck policy for the user named `admin` and  `supuser`.
+will disable any credcheck policy for password change of users named `admin` or `supuser`.
+
+To disable password policy checks for changes done by a superuser, enable GUC `credcheck.superuser_nocheck`.
 
 ### [Examples](#examples)
 
diff --git a/credcheck.c b/credcheck.c
@@ -249,6 +249,7 @@ static int auth_delay_milliseconds = 0;
 static bool password_change_first_login = false;
 static bool force_change_password = false;
 static bool disallow_change_password = false;
+static bool superuser_nocheck = false;
 
 #if PG_VERSION_NUM >= 120000
 /*
@@ -594,6 +595,13 @@ static void password_check(const char *username, const char *password)
 	Assert(username != NULL);
 	Assert(password != NULL);
 
+	/*
+	 * no passowrd check at all if the user is superuser
+	 * and superuser_nocheck is enabled
+	 */
+	if (superuser() && superuser_nocheck)
+		return;
+
 	/* checks has to be done by ignoring case */
 	if (password_ignore_case)
 	{
@@ -876,6 +884,11 @@ password_guc()
 				NULL, &disallow_change_password, false, PGC_SUSET, 0,
 				NULL, NULL, NULL);
 
+	DefineCustomBoolVariable("credcheck.superuser_nocheck",
+				gettext_noop("don't do password check if the logged user is a superuser"),
+				NULL, &superuser_nocheck, false, PGC_SUSET, 0,
+				NULL, NULL, NULL);
+
 }
 
 #if PG_VERSION_NUM >= 120000
@@ -1295,6 +1308,7 @@ check_password(const char *username, const char *password,
 #ifdef USE_CRACKLIB
 			const char *reason;
 #endif
+			/* don't do any password check if the role is whitelisted */
 			if (is_in_whitelist((char *)username, username_whitelist))
 				break;
 
diff --git a/test/expected/09_su_nocheck.out b/test/expected/09_su_nocheck.out
@@ -0,0 +1,10 @@
+LOAD 'credcheck';
+SET credcheck.password_min_upper To 4;
+CREATE USER aaa PASSWORD 'DuMmY4P';
+-- must return an error
+ALTER ROLE aaa PASSWORD 'DummY2';
+ERROR:  password does not contain the configured credcheck.password_min_upper characters (4)
+SET credcheck.superuser_nocheck TO on;
+-- no error
+ALTER ROLE aaa PASSWORD 'DummY2';
+DROP ROLE aaa;
diff --git a/test/sql/09_su_nocheck.sql b/test/sql/09_su_nocheck.sql
@@ -0,0 +1,10 @@
+LOAD 'credcheck';
+
+SET credcheck.password_min_upper To 4;
+CREATE USER aaa PASSWORD 'DuMmY4P';
+-- must return an error
+ALTER ROLE aaa PASSWORD 'DummY2';
+SET credcheck.superuser_nocheck TO on;
+-- no error
+ALTER ROLE aaa PASSWORD 'DummY2';
+DROP ROLE aaa;
