Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qHc3F-0006Nl-A2 for pgsql-hackers@arkaria.postgresql.org; Fri, 07 Jul 2023 03:22:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1qHc3C-0000la-Ke for pgsql-hackers@arkaria.postgresql.org; Fri, 07 Jul 2023 03:22:30 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qHc3C-0000lR-4y for pgsql-hackers@lists.postgresql.org; Fri, 07 Jul 2023 03:22:30 +0000 Received: from mail-lf1-x12f.google.com ([2a00:1450:4864:20::12f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qHc39-002Sxu-Gx for pgsql-hackers@postgresql.org; Fri, 07 Jul 2023 03:22:28 +0000 Received: by mail-lf1-x12f.google.com with SMTP id 2adb3069b0e04-4fba03becc6so3261202e87.0 for ; Thu, 06 Jul 2023 20:22:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688700145; x=1691292145; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2bXiFxvMfaWCRmC3Drb/AxQOSHeX4nKx9fZn21HJ3oE=; b=bEFu6ooCvhGLinw6plYvZdSsllDYHyu1VuXvjRuBLvVZtceopy3yK2TIyqDBFOh0Sr Cyh8ziXSZX4dOB3nR0ZJr/Fdnh8MwQ+ZThbMRv1gssilv/AZMmkXAGw7ViG/XpE3+oTI xzTw8ePLzD4QcmP/KN31XreupiIHCuoJfCdiUUD0jdJ3FGHjvNuDEmi1/bbzgR1ynb2f NlJQXTgruy37lO9EdUCPAytBstHHomfrakKva+RuvGq5S3htUxPYKcalyseShWRljrAm +r6dOgPDMfRvIAjFyJ1KdXz/vwEMCcsn40xniquTSgas7Swaw5WR8MCUhZ0OodkcVtPi NXHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688700145; x=1691292145; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2bXiFxvMfaWCRmC3Drb/AxQOSHeX4nKx9fZn21HJ3oE=; b=ZTwYrjBcWuehprmZI+dZBXWXTvK8/jYfEOWUXXzNWHhJrZY5CLN1eInK5X3dgdwxZX c+6jDndDgR8RUxYkp2pm99Qlyu0ONqvMuTi5ldedAdgh1zV45m89tW+m+l6sQZlnh74a ZH0JJEfzLdMmclPwDxHOFC4A7+w3VryZW54hwhgBhMbpefmG6yjA7JoeIgCt8rjfAU1p SRnlvuU7ipOlJyFs1eqT1txF0/zJ2WYzee7lQ7uALAa4FbFiy01YI2j7f9cUzKmoXJjx pKmIx36ku6cmelml78lFURurY3/rd994xPbLUDfkgIAkvevfgsdDvJgYujqPeHcUTZS+ BH6w== X-Gm-Message-State: ABy/qLZMd9BhHwRtub/UcgKvdJL0R6gIDY/iiN1YlD89F9ZNMFNnS+eV MZJYkORZyzdBehui3saZ0RDSCpwklGu7eiAsdmg= X-Google-Smtp-Source: APBJJlFfW2k6AXCr8yyUzn/+55VO5CVDURzR4gOjnvcuwSG2zfmzLf7Ya4kkJVQOW66V5RdfIXa7uatyRigH7IcsOns= X-Received: by 2002:a05:6512:31cf:b0:4fb:7624:85a5 with SMTP id j15-20020a05651231cf00b004fb762485a5mr1558099lfe.0.1688700144627; Thu, 06 Jul 2023 20:22:24 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Isaac Morland Date: Thu, 6 Jul 2023 23:22:13 -0400 Message-ID: Subject: Re: Fix search_path for all maintenance commands To: Jeff Davis Cc: pgsql-hackers@postgresql.org, Nathan Bossart , Robert Haas , Noah Misch , "David G. Johnston" , Greg Stark , Tom Lane , GurjeetSingh Content-Type: multipart/alternative; boundary="00000000000040b33605ffdd24de" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000040b33605ffdd24de Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 6 Jul 2023 at 21:39, Jeff Davis wrote: I apologize in advance if anything I=E2=80=99ve written below is either too= obvious or too crazy or misinformed to belong here. I hope I have something to say that is on point, but feel unsure what makes sense to say. * It might break for users who have a functional index where the > function implicitly depends on a search_path containing a namespace > other than pg_catalog. My opinion is that such functional indexes are > conceptually broken and we need to desupport them, and there will be > some breakage, but I'm open to suggestion about how we minimize that (a > compatibility GUC or something?). > I agree this is OK. If somebody has an index whole meaning depends on the search_path, then the best that can be said is that their database hasn't been corrupted yet. At the same time, I can see that somebody would get upset if they couldn't upgrade their database because of this. Maybe pg_upgrade could apply "SET search_path TO pg_catalog, pg_temp" to any function used in a functional index that doesn't have a search_path setting of its own? (BEGIN ATOMIC functions count, if I understand correctly, as having a search_path setting, because the lookups happen at definition time= ) Now I'm doing more reading and I'm worried about SET TIME ZONE (or more precisely, its absence) and maybe some other ones. * The fix might not go far enough or might be in the wrong place. I'm > open to suggestion here, too. Maybe we can make it part of the general > function call mechanism, and can be overridden by explicitly setting > the function search path? Or maybe we need new syntax where the > function can acquire the search path from the session explicitly, but > uses a safe search path by default? > Change it so by default each function gets handled as if "SET search_path FROM CURRENT" was applied to it? That's what I do for all my functions (maybe hurting performance?). Expand on my pg_upgrade idea above by applying it to all functions? I feel that this may tie into other behaviour issues where to me it is obvious that the expected behaviour should be different from the actual behaviour. If a view calls a function, shouldn't it be called in the context of the view's definer/owner? It's weird that I can write a view that filters a table for users of the view, but as soon as the view calls functions they run in the security context of the user of the view. Are views security definers or not? Similar comment for triggers. Also as far as I can tell there is no way for a security definer function to determine who (which user) invoked it. So I can grant/deny access to run a particular function using permissions, but I can't have the supposed security definer define security for different callers. Is the fundamental problem that we now find ourselves wanting to do things that require different defaults to work smoothly? On some level I suspect we want lexical scoping, which is what most of us have in our programming languages, in the database; but the database has many elements of dynamic scoping, and changing that is both a compatibility break and requires significant changes in the way the database is designed. --00000000000040b33605ffdd24de Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, 6 Jul 2023 at 21:39, Jeff Davis &= lt;pgsql@j-davis.com> wrote:

I apologize in advanc= e if anything I=E2=80=99ve written below is either too obvious or too crazy= or misinformed to belong here. I hope I have something to say that is on p= oint, but feel unsure what makes sense to say.

* It might break for users who have a functional index where the
function implicitly depends on a search_path containing a namespace
other than pg_catalog. My opinion is that such functional indexes are
conceptually broken and we need to desupport them, and there will be
some breakage, but I'm open to suggestion about how we minimize that (a=
compatibility GUC or something?).

I agr= ee this is OK. If somebody has an index whole=C2=A0meaning depends on the s= earch_path, then the best that can be said is that their database hasn'= t been corrupted yet. At the same time, I can see that somebody would get u= pset if they couldn't upgrade their database because of this. Maybe pg_= upgrade could apply "SET search_path TO pg_catalog, pg_temp" to a= ny function used in a functional index that doesn't have a search_path = setting of its own? (BEGIN ATOMIC functions count, if I understand correctl= y, as having a search_path setting, because the lookups happen at definitio= n time)

Now I'm doing more reading and I'm= worried about SET TIME ZONE (or more precisely, its absence) and maybe som= e other ones.

* The fix might not go far enough or might be in the wrong place. I'm open to suggestion here, too. Maybe we can make it part of the general
function call mechanism, and can be overridden by explicitly setting
the function search path? Or maybe we need new syntax where the
function can acquire the search path from the session explicitly, but
uses a safe search path by default?
=C2=A0
C= hange it so by default each function gets handled as if "SET search_pa= th FROM CURRENT" was applied to it? That's what I do for all my fu= nctions (maybe hurting performance?). Expand on my pg_upgrade idea above by= applying it to all functions?

I feel that this ma= y tie into other behaviour issues where to me it is obvious that the expect= ed behaviour should be different from the actual behaviour. If a view calls= a function, shouldn't it be called in the context of the view's de= finer/owner? It's weird that I can write a view that filters a table fo= r users of the view, but as soon as the view calls functions they run in th= e security context of the user of the view. Are views security definers or = not? Similar comment for triggers. Also as far as I can tell there is no wa= y for a security definer function to determine who (which user) invoked it.= So I can grant/deny access to run a particular function using permissions,= but I can't have the supposed security definer define security for dif= ferent callers.

Is the fundamental problem that we= now find ourselves wanting to do things that require different defaults to= work smoothly? On some level I suspect we want lexical scoping, which is w= hat most of us have in our programming languages, in the database; but the = database has many elements of dynamic scoping,=C2=A0and changing that is bo= th a compatibility break and requires significant changes in the way the da= tabase=C2=A0is designed.

--00000000000040b33605ffdd24de--