Re: [HACKERS] search path security issue?

2017-10-09 Thread Fabrízio de Royes Mello
On Sun, Oct 8, 2017 at 3:34 PM, Joe Conway wrote: > > On 10/06/2017 12:52 AM, Magnus Hagander wrote: > > It would be a nice feature to have in general, like a "basic guc > > permissions" thing. At least allowing a superuser to prevent exactly > > this. You could argue the same

Re: [HACKERS] search path security issue?

2017-10-08 Thread Joe Conway
On 10/06/2017 12:52 AM, Magnus Hagander wrote: > It would be a nice feature to have in general, like a "basic guc > permissions" thing. At least allowing a superuser to prevent exactly > this. You could argue the same thing for example for memory parameters > and such. We have no permissions at

Re: [HACKERS] search path security issue?

2017-10-06 Thread Magnus Hagander
On Fri, Oct 6, 2017 at 12:05 AM, Joshua D. Drake wrote: > On 10/05/2017 02:54 PM, David G. Johnston wrote: > >> On Thu, Oct 5, 2017 at 2:37 PM, Joshua D. Drake > >wrote: >> >> I get being able to change my

Re: [HACKERS] search path security issue?

2017-10-05 Thread David G. Johnston
On Thu, Oct 5, 2017 at 3:05 PM, Joshua D. Drake wrote: > On 10/05/2017 02:54 PM, David G. Johnston wrote: > >> On Thu, Oct 5, 2017 at 2:37 PM, Joshua D. Drake > >wrote: >> >> I get being able to change my

Re: [HACKERS] search path security issue?

2017-10-05 Thread Joshua D. Drake
On 10/05/2017 02:54 PM, David G. Johnston wrote: On Thu, Oct 5, 2017 at 2:37 PM, Joshua D. Drake >wrote: I get being able to change my search_path on the fly but it seems odd that as user foo I can change my default search path?

Re: [HACKERS] search path security issue?

2017-10-05 Thread David G. Johnston
On Thu, Oct 5, 2017 at 2:37 PM, Joshua D. Drake wrote: > I get being able to change my search_path on the fly but it seems odd that > as user foo I can change my default search path? > Seems down-right thoughtful of us to allow users to change their own defaults instead

Re: [HACKERS] search path security issue?

2017-10-05 Thread Tom Lane
"Joshua D. Drake" writes: > I get being able to change my search_path on the fly but it seems odd > that as user foo I can change my default search path? Why is that odd? It's a USERSET variable. regards, tom lane -- Sent via pgsql-hackers

[HACKERS] search path security issue?

2017-10-05 Thread Joshua D. Drake
-hackers, Please see the below: """ postgres=# create user foo; CREATE ROLE postgres=# create schema foo; CREATE SCHEMA postgres=# alter role foo set search_path to 'foo'; ALTER ROLE postgres=# \q jd@jd-wks:~$ psql -U foo postgres psql (9.6.5) Type "help" for help. postgres=> show search_path;