public inbox for [email protected]
help / color / mirror / Atom feedFrom: Nathan Bossart <[email protected]>
To: Jeff Davis <[email protected]>
Cc: Noah Misch <[email protected]>
Cc: David G. Johnston <[email protected]>
Cc: Gurjeet Singh <[email protected]>
Cc: [email protected]
Cc: Robert Haas <[email protected]>
Cc: Greg Stark <[email protected]>
Cc: Tom Lane <[email protected]>
Subject: Re: Fix search_path for all maintenance commands
Date: Tue, 31 Oct 2023 11:58:02 -0500
Message-ID: <20231031165802.GB72255@nathanxps13> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<CABwTF4XWKqx06UxApH8pnBdp_w2iL6VEbGKxDyjCW7-FNhLCBQ@mail.gmail.com>
<CAKFQuwbcUv9QmrfQKRRi1aq4E68xHD9N05_VZ2TLbMpxMV9Opg@mail.gmail.com>
<CABwTF4W5mZ+5fJEEh2vp7trGzwn-gnG6o13hAALmLjHdpeUn2g@mail.gmail.com>
<CAKFQuwZmswfTKtx6oUY0N7UB62cO_nABMgQgdcvrD8r4qjvUJg@mail.gmail.com>
<[email protected]>
<20230717175813.GA717781@nathanxps13>
<[email protected]>
<[email protected]>
<[email protected]>
On Fri, Oct 27, 2023 at 04:04:26PM -0700, Jeff Davis wrote:
> Do we still want to do this?
>
> Right now, the MAINTAIN privilege is blocking on some way to prevent
> malicious users from abusing the MAINTAIN privilege and search_path to
> acquire the table owner's privileges.
I vote +1 for proceeding with this. You've been threatening to commit this
since July, and from a quick skim, I don't sense any sustained objections.
Given one of the main objections for v16 was the timing, I would rather
commit this relatively early in the v17 cycle so we have ample time to deal
with any breakage it reveals or to further discuss any nuances.
Of course, I am a bit biased because I would love to un-revert MAINTAIN,
but I believe others would like to see that un-reverted, too.
> The approach of locking down search_path during maintenance commands
> would solve the problem, but it means that we are enforcing search_path
> in some contexts and not others. That's not great, but it's similar to
> what we are doing when we ignore SECURITY INVOKER and run the function
> as the table owner during a maintenance command, or (by default) for
> subscriptions.
Given the experience gained from the 2018 security fixes [0], I think this
is okay.
[0] https://postgr.es/m/20230715211333.GB3675150%40rfd.leadboat.com
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
view thread (14+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Fix search_path for all maintenance commands
In-Reply-To: <20231031165802.GB72255@nathanxps13>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox