Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qxs49-003yxx-UN for pgsql-hackers@arkaria.postgresql.org; Tue, 31 Oct 2023 16:58:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qxs48-003SEi-Cy for pgsql-hackers@arkaria.postgresql.org; Tue, 31 Oct 2023 16:58:08 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qxs48-003SEZ-41 for pgsql-hackers@lists.postgresql.org; Tue, 31 Oct 2023 16:58:08 +0000 Received: from mail-io1-xd2c.google.com ([2607:f8b0:4864:20::d2c]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qxs45-003Jkq-ES for pgsql-hackers@postgresql.org; Tue, 31 Oct 2023 16:58:06 +0000 Received: by mail-io1-xd2c.google.com with SMTP id ca18e2360f4ac-7a66b5f7ea7so212037739f.2 for ; Tue, 31 Oct 2023 09:58:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698771484; x=1699376284; darn=postgresql.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=EIRuF8EtdoifX9ZwoEih2lLlqsd2R3PYosSMV8OJesM=; b=m8X3iijSj76arIJojjjRlihW+UJE4vcFiP28Hr84AC06ijK/hoG/e8DD9uUzAeDDiv Iwm96LMnd/mX34S/rdT3Xx2cn+1/1Ef6jpvJltnbJrCwSK8mNsJH+bKR7y2embtEemA/ PIQEzdb0VS1Quy+7zAOLG3kzBQdTMov6iIRQ07VkGxpSzetfIca2pb5j4Pk6RI8pudsA 3RAx8zqmbBVq8bIPgka6hmRmgyrNAIW4IZPdZRubA/TRIv013XKwpBVvy8+/NjF3R+e0 h0iaGeWAnn8oPKRei5cnjegFfUfpZAhNaHJySu6S5UiIp1JhnYyKUvg6hE7xroQ5njya eEbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698771484; x=1699376284; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=EIRuF8EtdoifX9ZwoEih2lLlqsd2R3PYosSMV8OJesM=; b=nKPEjQYuEFSklno3IcRKTgoMmg8XqDBOhQFBemHo8rLW0ZTj2/C+4TB7IwdtlzjQ0J yngY301WFHpy51Fmpm6sXmKBf+YxVZUns5LXAnSa2feMMF23pTOcuL/Ix0/dGhvRI3Jf h0Un3nJyjlJKUht5gpAjGD9nGbWDbugS4xT13+wgw8JQxSJHt+SKawxRO6ASwQ6HNM5s 2tomENtdv+WDtNApLaAqpsgEjeDDLqWD8XbXrOcRmRUGU+b1nSdkNSNmdqaG1vIZioPl aAo8Ckqij3StM1UvB5mvKzV7kNZVbBie/WJwlRrKNWFHNHL33p4/KhxwDbqr6AY7CoIv ZEeA== X-Gm-Message-State: AOJu0YyMsry2NnxF2VFZKuMOtADAw5K2WrkBocYVtmInqFW/3p7+02SJ pDSG9Pv5wLT44CLDEN5oSdQ= X-Google-Smtp-Source: AGHT+IEkFadONU+82FM0Y/45BEzV3O8tqCyaPHgDubW8GJx2ZqQZ4OS9UBZGF4z3yc04LZoc8dE/Gw== X-Received: by 2002:a05:6602:2cce:b0:7a9:b1ae:98d2 with SMTP id j14-20020a0566022cce00b007a9b1ae98d2mr17795575iow.8.1698771484639; Tue, 31 Oct 2023 09:58:04 -0700 (PDT) Received: from nathanxps13 (162-195-168-172.lightspeed.stlsmo.sbcglobal.net. [162.195.168.172]) by smtp.gmail.com with ESMTPSA id 23-20020a5d9c17000000b00791e6ae3aa4sm496846ioe.23.2023.10.31.09.58.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Oct 2023 09:58:04 -0700 (PDT) Date: Tue, 31 Oct 2023 11:58:02 -0500 From: Nathan Bossart To: Jeff Davis Cc: Noah Misch , "David G. Johnston" , Gurjeet Singh , pgsql-hackers@postgresql.org, Robert Haas , Greg Stark , Tom Lane Subject: Re: Fix search_path for all maintenance commands Message-ID: <20231031165802.GB72255@nathanxps13> References: <2cf41c8edeaaf7acb757095e6eceab8ae926f3da.camel@j-davis.com> <20230715211333.GB3675150@rfd.leadboat.com> <20230717175813.GA717781@nathanxps13> <2ad1dd4e5be5567c0d75676b348eab33b529e974.camel@j-davis.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, Oct 27, 2023 at 04:04:26PM -0700, Jeff Davis wrote: > Do we still want to do this? > > Right now, the MAINTAIN privilege is blocking on some way to prevent > malicious users from abusing the MAINTAIN privilege and search_path to > acquire the table owner's privileges. I vote +1 for proceeding with this. You've been threatening to commit this since July, and from a quick skim, I don't sense any sustained objections. Given one of the main objections for v16 was the timing, I would rather commit this relatively early in the v17 cycle so we have ample time to deal with any breakage it reveals or to further discuss any nuances. Of course, I am a bit biased because I would love to un-revert MAINTAIN, but I believe others would like to see that un-reverted, too. > The approach of locking down search_path during maintenance commands > would solve the problem, but it means that we are enforcing search_path > in some contexts and not others. That's not great, but it's similar to > what we are doing when we ignore SECURITY INVOKER and run the function > as the table owner during a maintenance command, or (by default) for > subscriptions. Given the experience gained from the 2018 security fixes [0], I think this is okay. [0] https://postgr.es/m/20230715211333.GB3675150%40rfd.leadboat.com -- Nathan Bossart Amazon Web Services: https://aws.amazon.com