Re: MAINTAIN privilege -- what do we need to un-revert it?

Michael Paquier <michael@paquier.xyz>

From: Michael Paquier <michael@paquier.xyz>
To: Noah Misch <noah@leadboat.com>
Cc: Jeff Davis <pgsql@j-davis.com>, Nathan Bossart <nathandbossart@gmail.com>, pgsql-hackers@postgresql.org, Joe Conway <mail@joeconway.com>, Robert Haas <robertmhaas@gmail.com>
Date: 2024-07-09T06:20:26Z
Lists: pgsql-hackers
On Sun, Jun 30, 2024 at 03:23:44PM -0700, Noah Misch wrote:
> I've audited NewGUCNestLevel() calls that didn't get this addition.  Among
> those, these need the addition:
> 
> - Each in ComputeIndexAttrs() -- they arise when the caller is DefineIndex()
> - In DefineIndex(), after comment "changed a behavior-affecting GUC"

Hmm.  Is RestrictSearchPath() something that we should advertise more
strongly, thinking here about extensions that call NewGUCNestLevel()?
That would be really easy to miss, and it could have bad consequences.
I know that this is not something that's published in the release
notes, but it looks like something sensible to have, though.

> While "not necessary for security", ExecCreateTableAs() should do it for the
> same reason it calls NewGUCNestLevel().

+1.
--
Michael

Commits

  1. doc: Note that CREATE MATERIALIZED VIEW restricts search_path.

  2. Small refactoring around ExecCreateTableAs().

  3. Add is_create parameter to RefreshMatviewByOid().

  4. Remove unused ParamListInfo argument from ExecRefreshMatView.

  5. When creating materialized views, use REFRESH to load data.

  6. Add missing RestrictSearchPath() calls.

  7. Fix search_path to a safe value during maintenance operations.

  8. Revert MAINTAIN privilege and pg_maintain predefined role.

  9. Avoid repeated name lookups during table and index DDL.

  10. Add a materialized view relations.