Re: pgsql: Fix search_path to a safe value during maintenance operations.

From: "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>
To: Jeff Davis <pgsql(at)j-davis(dot)com>
Cc: Noah Misch <noah(at)leadboat(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jeff Davis <jdavis(at)postgresql(dot)org>, pgsql-committers(at)lists(dot)postgresql(dot)org
Subject: Re: pgsql: Fix search_path to a safe value during maintenance operations.
Date: 2023-06-13 00:50:32
Message-ID: CAKFQuwaVJkM9u+qpOaom2UkPE1sz0BASF-E5amxWPxncUhm4Hw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers pgsql-hackers

On Mon, Jun 12, 2023 at 5:40 PM Jeff Davis <pgsql(at)j-davis(dot)com> wrote:

> On Mon, 2023-06-12 at 13:05 -0400, Noah Misch wrote:
> > The timing was not great, but this is fixing a purported defect in an
> > older
> > v16 feature. If the MAINTAIN privilege is actually fine, we're all
> > set for
> > v16. If MAINTAIN does have a material problem that $SUBJECT had
> > fixed, we
> > should either revert MAINTAIN, un-revert $SUBJECT, or fix the problem
> > a
> > different way.
>
> Someone with the MAINTAIN privilege on a table can use search_path
> tricks against the table owner, if the code is susceptible, because
> maintenance code runs with the privileges of the table owner.
>
>
Only change the search_path if someone other than the table owner or
superuser is running the command (which should only be possible via the new
MAINTAIN privilege)?

David J.

In response to

Responses

Browse pgsql-committers by date

  From Date Subject
Next Message David G. Johnston 2023-06-13 01:31:21 Re: pgsql: Fix search_path to a safe value during maintenance operations.
Previous Message Jeff Davis 2023-06-13 00:39:40 Re: pgsql: Fix search_path to a safe value during maintenance operations.

Browse pgsql-hackers by date

  From Date Subject
Next Message David G. Johnston 2023-06-13 01:31:21 Re: pgsql: Fix search_path to a safe value during maintenance operations.
Previous Message Jeff Davis 2023-06-13 00:39:40 Re: pgsql: Fix search_path to a safe value during maintenance operations.