search path security issue?

From: "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
To: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: search path security issue?
Date: 2017-10-05 21:37:21
Message-ID: 9badbdb1-2519-5416-7d2a-55ff50a5963e@commandprompt.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

-hackers,

Please see the below:

"""
postgres=# create user foo;
CREATE ROLE
postgres=# create schema foo;
CREATE SCHEMA
postgres=# alter role foo set search_path to 'foo';
ALTER ROLE
postgres=# \q
jd(at)jd-wks:~$ psql -U foo postgres
psql (9.6.5)
Type "help" for help.

postgres=> show search_path;
search_path
-------------
foo
(1 row)

postgres=> alter role foo set search_path to default;
ALTER ROLE
postgres=> show search_path;
search_path
-------------
foo
(1 row)

postgres=> \q

jd(at)jd-wks:~$ psql -U foo postgres
psql (9.6.5)
Type "help" for help.

postgres=> show search_path;
search_path
-----------------
"$user", public
(1 row)

I get being able to change my search_path on the fly but it seems odd
that as user foo I can change my default search path?

JD

--
Command Prompt, Inc. || http://the.postgres.company/ || @cmdpromptinc

PostgreSQL Centered full stack support, consulting and development.
Advocate: @amplifypostgres || Learn: https://pgconf.us
***** Unless otherwise stated, opinions are my own. *****

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2017-10-05 21:53:28 Re: search path security issue?
Previous Message Robert Haas 2017-10-05 21:34:39 Re: Proposal for CSN based snapshots