Re: pgsql: Fix search_path to a safe value during maintenance operations.

David G. Johnston <david.g.johnston@gmail.com>

From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Jeff Davis <pgsql@j-davis.com>, Tom Lane <tgl@sss.pgh.pa.us>, Noah Misch <noah@leadboat.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, Nathan Bossart <nathandbossart@gmail.com>
Date: 2023-08-01T18:16:19Z
Lists: pgsql-hackers
On Tue, Aug 1, 2023 at 10:42 AM Robert Haas <robertmhaas@gmail.com> wrote:

> Now, if we don't go in the direction of resolving everything at parse
> time, then I think capturing search_path is probably the next best
> thing, or at least the next best thing that I've thought up so far.


I'd much rather strongly encourage the user to write a safe and
self-sufficient function definition.  Specifically, if there is no
search_path attached to the function then the search path that will be in
place will be temp + pg_catalog only.  Though I wonder whether it would be
advantageous to allow a function to have a temporary schema separate from
the session-scoped one...

They can use ALTER FUNCTION and the existing "FROM CURRENT" specification
to get back to current behavior if desired.

Going further, I could envision an "explicit" mode that both performs a
parse-time check for object existence and optionally reports an error if
the lookup happened via an inexact match - forcing lots more type casts to
occur (we'd probably need to invent something to say "must match the
anyelement function signature") but ensuring at parse time you've correctly
identified everything you intend to be using.  Sure, the meanings of those
things could change but the surface is much smaller than plugging a new
function that matches earlier in the lookup resolution process.

David J.

Commits

  1. Fix search_path to a safe value during maintenance operations.

  2. Revert MAINTAIN privilege and pg_maintain predefined role.

  3. Add grantable MAINTAIN privilege and pg_maintain role.

  4. Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.