Re: search_path vs extensions

From: Greg Stark <stark(at)enterprisedb(dot)com>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "David E(dot) Wheeler" <david(at)kineticode(dot)com>, Dimitri Fontaine <dfontaine(at)hi-media(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, Stephen Frost <sfrost(at)snowman(dot)net>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Josh Berkus <josh(at)agliodbs(dot)com>, Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk>
Subject: Re: search_path vs extensions
Date: 2009-05-29 23:53:14
Message-ID: 4136ffa0905291653v76a9425di89a7d73cf7c43e0d@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Fri, May 29, 2009 at 11:18 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>
> Good point.  But maybe there's some way of getting some kind of
> behavior that is closer to lexical scoping/early binding?  Because the
> way it works right now has lousy security implications, beyond being
> difficult for search_path management.  Assign a search path to a
> schema, that applies to views and functions defined therein?
> *brainstorming*

Well we already set search_path locally in SECURITY DEFINER functions.
Normal functions run with the credentials of the caller so that's not
an issue.

But if a SECURITY DEFINER function calls another function that other
function will inherit the credentials of the caller so it must inherit
the search path of the caller as well. So that has to be dynamically
scoped.

I'm beginning to understand why Oracle programmers are accustomed to
setting SECURITY DEFINER everywhere. I think Oracle also knows to
treat such code as lexically scoped and can bind references when
loading such code.

--
greg

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Greg Stark 2009-05-30 00:16:25 Re: search_path improvements WAS: search_path vs extensions
Previous Message decibel 2009-05-29 23:44:46 Re: Allow vacuumdb to only analyze