Re: security_definer_search_path GUC

Joel Jacobson <joel@compiler.org>

From: "Joel Jacobson" <joel@compiler.org>
To: pgsql-hackers@lists.postgresql.org
Date: 2021-05-29T20:05:34Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Create a new GUC variable search_path to control the namespace search

Glad you bring this problem up for discussion, something should be done to improve the situation.

Personally, as I really dislike search_path and consider using it an anti-pattern.
I would rather prefer a GUC to hard-code search_path to a constant default value of just ‘public’ that cannot be changed by anyone or any function. Trying to change it to a different value would raise an exception.

This would work for me since I always fully-qualify all objects except the ones in public.

/Joel

On Thu, May 27, 2021, at 13:23, Marko Tiikkaja wrote:
> Hi,
> 
> Since writing SECURITY DEFINER functions securely requires annoying incantations[1], wouldn't it be nice if we provided a way for the superuser to override the default search path via a GUC in postgresql.conf?  That way you can set search_path if you want to override the default, but if you leave it out you're not vulnerable, assuming security_definer_search_path only contains secure schemas.
> 
> 
> .m

Kind regards,

Joel