| From: | Marko Tiikkaja <marko(at)joh(dot)to> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org> |
| Cc: | Joel Jacobson <joel(at)compiler(dot)org>, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: security_definer_search_path GUC |
| Date: | 2021-06-02 22:50:17 |
| Message-ID: | CAL9smLAz7UHajV8HhO-r1+gYeCw1pgNgN2c9qynYh8C1fGEz2w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jun 2, 2021 at 10:20 PM Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>
wrote:
> On 2021-Jun-02, Marko Tiikkaja wrote:
>
> > The use case is: version upgrades. I want to be able to have a
> search_path
> > of something like 'pg_catalog, compat, public'. That way we can provide
> > compatibility versions of newer functions in the "compat" schema, which
> get
> > taken over by pg_catalog when running on a newer version. That way all
> the
> > compatibility crap is clearly separated from the stuff that should be in
> > "public".
>
> Can't you achieve that with "ALTER DATABASE .. SET search_path"?
>
No, because I have a thousand SECURITY DEFINER functions which have to
override search_path or they'd be insecure.
.m
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marko Tiikkaja | 2021-06-02 22:55:39 | Re: security_definer_search_path GUC |
| Previous Message | Andrew Dunstan | 2021-06-02 22:25:40 | Re: pgsql: Add regression test for recovery pause. |