Re: un-revert the MAINTAIN privilege and the pg_maintain predefined role

On Tue, Mar 05, 2024 at 10:12:35AM -0600, Nathan Bossart wrote:
> Thanks to Jeff's recent work with commits 2af07e2 and 59825d1, the issue
> that led to the revert of the MAINTAIN privilege and the pg_maintain
> predefined role (commit 151c22d) should now be resolved. Specifically,
> there was a concern that roles with the MAINTAIN privilege could use
> search_path tricks to run arbitrary code as the table owner. Jeff's work
> prevents this by restricting search_path to a known safe value when running
> maintenance commands. (This approach and others were discussed on the
> lists quite extensively, and it was also brought up at the developer
> meeting at FOSDEM [0] earlier this year.)
>
> Given this, I'd like to finally propose un-reverting MAINTAIN and
> pg_maintain. I created a commitfest entry for this [1] a few weeks ago and
> attached it to Jeff's search_path thread, but I figured it would be good to
> create a dedicated thread for this, too. The attached patch is a straight
> revert of commit 151c22d except for the following small changes:
>
> * The catversion bump has been removed for now. The catversion will need
> to be bumped appropriately if/when this is committed.
>
> * The OID for the pg_maintain predefined role needed to be changed. The
> original OID has been reused for something else since this feature was
> reverted.
>
> * The change in AdjustUpgrade.pm needed to be updated to check for
> "$old_version < 17" instead of "$old_version < 16".

Given all of this code was previously reviewed and committed, I am planning
to forge ahead and commit this early next week, provided no objections or
additional feedback materialize.

--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com