Re: pgsql: Fix search_path to a safe value during maintenance operations.
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Jeff Davis <pgsql@j-davis.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Noah Misch <noah@leadboat.com>, pgsql-committers@lists.postgresql.org
Date: 2023-06-19T20:03:36Z
Lists: pgsql-hackers
On Thu, Jun 15, 2023 at 12:59 AM Jeff Davis <pgsql@j-davis.com> wrote: > On Tue, 2023-06-13 at 16:23 -0400, Tom Lane wrote: > > What I'm concerned about is making such a fundamental semantics > > change > > post-beta1. > > I have added the patch to the July CF for v17. > > If someone does feel like something should be done for v16, David G. > Johnston posted one possibility here: > > https://www.postgresql.org/message-id/CAKFQuwaVJkM9u+qpOaom2UkPE1sz0BASF-E5amxWPxncUhm4Hw@mail.gmail.com > > But as Noah pointed out, there are other privileges that can be abused, > so a workaround for 16 might not be important if we have a likely fix > for MAINTAIN coming in 17. Rather than is_superuser(userid) || userid == ownerid, I think that the test should be has_privs_of_role(userid, ownerid). I'm inclined to think that this is a real security issue and am not very sanguine about waiting another year to fix it, but at the same time, I'm somewhat worried that the proposed fix might be too narrow or wrongly-shaped. I'm not too convinced that we've properly understood what all of the problems in this area are. :-( -- Robert Haas EDB: http://www.enterprisedb.com
Commits
-
Fix search_path to a safe value during maintenance operations.
- 2af07e2f749a 17.0 landed
- 05e173735171 16.0 cited
-
Revert MAINTAIN privilege and pg_maintain predefined role.
- 957445996fda 16.0 landed
- 151c22deee66 17.0 landed
-
Add grantable MAINTAIN privilege and pg_maintain role.
- 60684dd834a2 16.0 cited
-
Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.
- b073c3ccd06e 15.0 cited