On 07/13/2018 05:23 PM, Tom Lane wrote:
> "David G. Johnston" <david.g.johnston@gmail.com> writes:
>> I think serious consideration needs to be given to ways to allow the user
>> of pg_dump/pg_restore to choose the prior, less secure, mode of operation.
>> IMO the risk surface presented to support back-patching the behavioral
>> changes was not severe enough to do so in the first place. I'm presuming
>> undoing the back-patch will be shot down without mercy but at least
>> consider an escape hatch for unafflicted secure systems that just happen to
>> depend on search_path more than a super-hardened system would.
> FWIW, in the security team's discussions of CVE-2018-1058, I argued
> strenuously in favor of providing a way to run pg_dump/pg_restore with
> the system's default search_path as before. I lost the argument;
> but maybe the need for features like this shows that we are not really
> ready to insist on unconditional security there.
>
>
I don't remember that, TBH.
Certainly this problem seems nasty enough that we should possibly
revisit the issue.
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
