Jeff Davis <pgsql@j-davis.com> writes:
> On Thu, 2023-06-29 at 11:19 -0400, Robert Haas wrote:
>> We shouldn't ship a new feature with a built-in
>> security hole like that.
> Let's take David's suggestion[1] then, and only restrict the search
> path for those without owner privileges on the object.
I think that's a seriously awful kluge. It will mean that things behave
differently for the owner than for MAINTAIN grantees, which pretty much
destroys the use-case for that privilege, as well as being very confusing
and hard to debug. Yes, *if* you're careful about search path cleanliness
then you can make it work, but that will be a foot-gun forevermore.
(I'm also less than convinced that this is sufficient to remove all
security hazards. One pretty obvious question is do we really want
superusers to be treated as owners, rather than MAINTAIN grantees,
for this purpose.)
I'm leaning to Robert's thought that we need to revert this for now,
and think harder about how to make it work cleanly and safely.
regards, tom lane