Re: security_definer_search_path GUC - Mailing list pgsql-hackers

From Joel Jacobson
Subject Re: security_definer_search_path GUC
Date
Msg-id e9f6035e-cb1f-4c49-9286-a44ebd973d4b@www.fastmail.com
Whole thread Raw
In response to Re: security_definer_search_path GUC  (Pavel Stehule <pavel.stehule@gmail.com>)
Responses Re: security_definer_search_path GUC
List pgsql-hackers
On Sun, May 30, 2021, at 09:54, Pavel Stehule wrote:
Maybe inverted design can work better - there can be GUC - "qualified_names_required" with a list of schemas without enabled implicit access.

The one possible value can be "all".

The advantage of this design can be the possibility of work on current extensions.

I don't think so search_path can be disabled - but there can be checks that disallow non-qualified names.

I would prefer a pre-installed search_path-extension that can be uninstalled,
instead of yet another GUC, but if that's not an option, I'm happy with a GUC as well.

IMO, the current search_path default behaviour is a minefield.

For users like myself, who prefer a safer context-free name resolution behaviour, here is how I think it should work:

* The only schemas that don't require fully-qualified schemas are 'pg_catalog' and 'public'

* The $user schema feature is removed, i.e:
- $user is not part of the search_path
- objects are not created nor looked for in a $user schema if such a schema exists
- objects are always created in 'public' if a schema is not explicitly specified

* Temp objects always needs to be fully-qualified using 'pg_temp'

* 'pg_catalog' and 'public' are enforced to be completely disjoint.
That is, trying to create an object in 'public' that is in conflict with 'pg_catalog' would raise an error.

More ideas?

/Joel




pgsql-hackers by date:

Previous
From: "tanghy.fnst@fujitsu.com"
Date:
Subject: RE: [BUG]Update Toast data failure in logical replication
Next
From: Peter Smith
Date:
Subject: Re: locking [user] catalog tables vs 2pc vs logical rep