Re: MAINTAIN privilege -- what do we need to un-revert it?
Nathan Bossart <nathandbossart@gmail.com>
From: Nathan Bossart <nathandbossart@gmail.com>
To: Jeff Davis <pgsql@j-davis.com>
Cc: pgsql-hackers@postgresql.org, Joe Conway <mail@joeconway.com>, Robert Haas <robertmhaas@gmail.com>
Date: 2024-02-23T21:30:55Z
Lists: pgsql-hackers
(Apologies in advance for anything I'm bringing up that we've already
covered somewhere else.)
On Fri, Feb 16, 2024 at 04:03:55PM -0800, Jeff Davis wrote:
> Note the changes in amcheck. It's creating functions and calling those
> functions from the comparators, and so the comparators need to set the
> search_path. I don't think that's terribly common, but does represent a
> behavior change and could break something.
Why is this change needed? Is the idea to make amcheck follow the same
rules as maintenance commands to encourage folks to set up index functions
correctly? Or is amcheck similarly affected by search_path tricks?
> void
> InitializeSearchPath(void)
> {
> + /* Make the context we'll keep search path cache hashtable in */
> + SearchPathCacheContext = AllocSetContextCreate(TopMemoryContext,
> + "search_path processing cache",
> + ALLOCSET_DEFAULT_SIZES);
> +
> if (IsBootstrapProcessingMode())
> {
> /*
> @@ -4739,11 +4744,6 @@ InitializeSearchPath(void)
> }
> else
> {
> - /* Make the context we'll keep search path cache hashtable in */
> - SearchPathCacheContext = AllocSetContextCreate(TopMemoryContext,
> - "search_path processing cache",
> - ALLOCSET_DEFAULT_SIZES);
> -
What is the purpose of this change?
> + SetConfigOption("search_path", GUC_SAFE_SEARCH_PATH, PGC_USERSET,
> + PGC_S_SESSION);
I wonder if it's worth using PGC_S_INTERACTIVE or introducing a new value
for these.
> +/*
> + * Safe search path when executing code as the table owner, such as during
> + * maintenance operations.
> + */
> +#define GUC_SAFE_SEARCH_PATH "pg_catalog, pg_temp"
Is including pg_temp actually safe? I worry that a user could use their
temporary schema to inject objects that would take the place of
non-schema-qualified stuff in functions.
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
Commits
-
doc: Note that CREATE MATERIALIZED VIEW restricts search_path.
- d8ebcac547d7 18.0 landed
- 18cea252ac74 17.1 landed
-
Small refactoring around ExecCreateTableAs().
- 7926a9a80f6d 18.0 landed
-
Add is_create parameter to RefreshMatviewByOid().
- ca2eea3ac89a 18.0 landed
-
Remove unused ParamListInfo argument from ExecRefreshMatView.
- f683d3a4ca6d 18.0 landed
-
When creating materialized views, use REFRESH to load data.
- 4b74ebf726d4 18.0 landed
- b4da732fd64e 17.0 landed
-
Add missing RestrictSearchPath() calls.
- a15b0edb5dd9 17.0 landed
- 8e28778ce396 18.0 landed
-
Fix search_path to a safe value during maintenance operations.
- 2af07e2f749a 17.0 landed
-
Revert MAINTAIN privilege and pg_maintain predefined role.
- 151c22deee66 17.0 cited
-
Avoid repeated name lookups during table and index DDL.
- 5f173040e324 9.4.0 cited
-
Add a materialized view relations.
- 3bf3ab8c5636 9.3.0 cited