Re: pgsql: Add new GUC createrole_self_grant.
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2023-01-11T21:00:26Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes: > If you want to make safe a SECURITY DEFINER function written using sql > or plpgsql, you either have to schema-qualify every single reference > or, more realistically, attach a SET clause to the function to set the > search_path to a sane value during the time that the function is > executing. The problem here can be handled the same way, except that > it's needed in a vastly more limited set of circumstances: you have to > be calling a SECURITY DEFINER function that will execute CREATE ROLE > as a non-superuser (and that user then needs to be sensitive to the > value of this GUC in some security-relevant way). It might be good to > document this -- I just noticed that the CREATE FUNCTION page has a > section on "Writing SECURITY DEFINER Functions Safely" which talks > about dealing with the search_path issues, and it seems like it would > be worth adding a sentence or two there to talk about this. OK, I'd be satisfied with that. regards, tom lane
Commits
-
Assorted improvements to SECURITY DEFINER functions documentation.
- 6fa66ec88ff2 16.0 landed
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 cited