Re: pgsql: Fix search_path to a safe value during maintenance operations.
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Jeff Davis <pgsql@j-davis.com>
Cc: Robert Haas <robertmhaas@gmail.com>, Noah Misch <noah@leadboat.com>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>,
Nathan Bossart <nathandbossart@gmail.com>
Date: 2023-06-30T00:53:56Z
Lists: pgsql-hackers
Jeff Davis <pgsql@j-davis.com> writes: > On Thu, 2023-06-29 at 11:19 -0400, Robert Haas wrote: >> We shouldn't ship a new feature with a built-in >> security hole like that. > Let's take David's suggestion[1] then, and only restrict the search > path for those without owner privileges on the object. I think that's a seriously awful kluge. It will mean that things behave differently for the owner than for MAINTAIN grantees, which pretty much destroys the use-case for that privilege, as well as being very confusing and hard to debug. Yes, *if* you're careful about search path cleanliness then you can make it work, but that will be a foot-gun forevermore. (I'm also less than convinced that this is sufficient to remove all security hazards. One pretty obvious question is do we really want superusers to be treated as owners, rather than MAINTAIN grantees, for this purpose.) I'm leaning to Robert's thought that we need to revert this for now, and think harder about how to make it work cleanly and safely. regards, tom lane
Commits
-
Fix search_path to a safe value during maintenance operations.
- 2af07e2f749a 17.0 landed
- 05e173735171 16.0 cited
-
Revert MAINTAIN privilege and pg_maintain predefined role.
- 957445996fda 16.0 landed
- 151c22deee66 17.0 landed
-
Add grantable MAINTAIN privilege and pg_maintain role.
- 60684dd834a2 16.0 cited
-
Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.
- b073c3ccd06e 15.0 cited