Re: security_definer_search_path GUC - Mailing list pgsql-hackers

From Pavel Stehule
Subject Re: security_definer_search_path GUC
Date
Msg-id CAFj8pRBpWXK-kmYwefm2PzEfvyxxfuZR-8sawjVhRZY-5V3_Ug@mail.gmail.com
Whole thread Raw
In response to Re: security_definer_search_path GUC  (Mark Dilger <mark.dilger@enterprisedb.com>)
Responses Re: security_definer_search_path GUC
List pgsql-hackers


čt 3. 6. 2021 v 18:30 odesílatel Mark Dilger <mark.dilger@enterprisedb.com> napsal:


> On Jun 3, 2021, at 9:03 AM, Pavel Stehule <pavel.stehule@gmail.com> wrote:
>
> I agree so some possibility of locking search_path or possibility to control who and when can change it can increase security. This should be a core feature. It's maybe more generic issue - same functionality can be required for work_mem setting, maybe max_paralel_workers_per_gather, and other GUC

Chapman already suggested a mechanism in [1] to allow chaining together additional validators for GUCs.

When setting search_path, the check_search_path(char **newval, void **extra, GucSource source) function is invoked.  As I understand Chapman's proposal, additional validators could be added to any GUC.  You could implement search_path restrictions by defining additional validators that enforce whatever restriction you like.

This design looks good for extensions, but I am not sure if it is good for users. Some declarative way without necessity to programming or install some extension can be nice.

Pavel


Marko, does his idea sound workable for your needs?  I understood your original proposal as only restricting the value of search_path within security definer functions.  This idea would allow you to restrict it everywhere, and not tailored to just that context.

[1] https://www.postgresql.org/message-id/608C9A81.3020006@anastigmatix.net


Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



pgsql-hackers by date:

Previous
From: Marko Tiikkaja
Date:
Subject: Re: security_definer_search_path GUC
Next
From: Jeff Davis
Date:
Subject: Re: Decoding of two-phase xacts missing from CREATE_REPLICATION_SLOT command