[HACKERS] search path security issue?

-hackers,

Please see the below:

"""
postgres=# create user foo;
CREATE ROLE
postgres=# create schema foo;
CREATE SCHEMA
postgres=# alter role foo set search_path to 'foo';
ALTER ROLE
postgres=# \q
jd@jd-wks:~$ psql -U foo postgres
psql (9.6.5)
Type "help" for help.

postgres=> show search_path; search_path
------------- foo
(1 row)

postgres=> alter role foo set search_path to default;
ALTER ROLE
postgres=> show search_path; search_path
------------- foo
(1 row)

postgres=> \q


jd@jd-wks:~$ psql -U foo postgres
psql (9.6.5)
Type "help" for help.

postgres=> show search_path;   search_path
----------------- "$user", public
(1 row)


I get being able to change my search_path on the fly but it seems odd 
that as user foo I can change my default search path?

JD



-- 
Command Prompt, Inc. || http://the.postgres.company/ || @cmdpromptinc

PostgreSQL Centered full stack support, consulting and development.
Advocate: @amplifypostgres || Learn: https://pgconf.us
*****     Unless otherwise stated, opinions are my own.   *****


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers