Re: Fix search_path for all maintenance commands - Mailing list pgsql-hackers

From Nathan Bossart
Subject Re: Fix search_path for all maintenance commands
Date
Msg-id 20231031165802.GB72255@nathanxps13
Whole thread Raw
In response to Re: Fix search_path for all maintenance commands  (Jeff Davis <pgsql@j-davis.com>)
List pgsql-hackers
On Fri, Oct 27, 2023 at 04:04:26PM -0700, Jeff Davis wrote:
> Do we still want to do this?
> 
> Right now, the MAINTAIN privilege is blocking on some way to prevent
> malicious users from abusing the MAINTAIN privilege and search_path to
> acquire the table owner's privileges.

I vote +1 for proceeding with this.  You've been threatening to commit this
since July, and from a quick skim, I don't sense any sustained objections.
Given one of the main objections for v16 was the timing, I would rather
commit this relatively early in the v17 cycle so we have ample time to deal
with any breakage it reveals or to further discuss any nuances.

Of course, I am a bit biased because I would love to un-revert MAINTAIN,
but I believe others would like to see that un-reverted, too.

> The approach of locking down search_path during maintenance commands
> would solve the problem, but it means that we are enforcing search_path
> in some contexts and not others. That's not great, but it's similar to
> what we are doing when we ignore SECURITY INVOKER and run the function
> as the table owner during a maintenance command, or (by default) for
> subscriptions.

Given the experience gained from the 2018 security fixes [0], I think this
is okay.

[0] https://postgr.es/m/20230715211333.GB3675150%40rfd.leadboat.com

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com



pgsql-hackers by date:

Previous
From: "Euler Taveira"
Date:
Subject: Re: Allowing TRUNCATE of FK target when session_replication_role=replica
Next
From: Bruce Momjian
Date:
Subject: Re: Question about non-blocking mode in libpq