Re: un-revert the MAINTAIN privilege and the pg_maintain predefined role

From: Nathan Bossart <nathandbossart(at)gmail(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: un-revert the MAINTAIN privilege and the pg_maintain predefined role
Date: 2024-03-07 16:50:00
Message-ID: 20240307165000.GA388645@nathanxps13
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, Mar 05, 2024 at 10:12:35AM -0600, Nathan Bossart wrote:
> Thanks to Jeff's recent work with commits 2af07e2 and 59825d1, the issue
> that led to the revert of the MAINTAIN privilege and the pg_maintain
> predefined role (commit 151c22d) should now be resolved. Specifically,
> there was a concern that roles with the MAINTAIN privilege could use
> search_path tricks to run arbitrary code as the table owner. Jeff's work
> prevents this by restricting search_path to a known safe value when running
> maintenance commands. (This approach and others were discussed on the
> lists quite extensively, and it was also brought up at the developer
> meeting at FOSDEM [0] earlier this year.)
>
> Given this, I'd like to finally propose un-reverting MAINTAIN and
> pg_maintain. I created a commitfest entry for this [1] a few weeks ago and
> attached it to Jeff's search_path thread, but I figured it would be good to
> create a dedicated thread for this, too. The attached patch is a straight
> revert of commit 151c22d except for the following small changes:
>
> * The catversion bump has been removed for now. The catversion will need
> to be bumped appropriately if/when this is committed.
>
> * The OID for the pg_maintain predefined role needed to be changed. The
> original OID has been reused for something else since this feature was
> reverted.
>
> * The change in AdjustUpgrade.pm needed to be updated to check for
> "$old_version < 17" instead of "$old_version < 16".

Given all of this code was previously reviewed and committed, I am planning
to forge ahead and commit this early next week, provided no objections or
additional feedback materialize.

--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Ashutosh Bapat 2024-03-07 16:54:26 Re: table inheritance versus column compression and storage settings
Previous Message Tom Lane 2024-03-07 16:46:32 Re: Function and Procedure with same signature?