Re: [HACKERS] search path security issue?

On 10/05/2017 02:54 PM, David G. Johnston wrote:
> On Thu, Oct 5, 2017 at 2:37 PM, Joshua D. Drake <jd@commandprompt.com 
> <mailto:jd@commandprompt.com>>wrote:
> 
>     I get being able to change my search_path on the fly but it seems
>     odd that as user foo I can change my default search path?
> 
> 
> Seems down-right thoughtful of us to allow users to change their own 
> defaults instead of forcing them to always change things on-the-fly or 
> bug a DBA to change the default for them.

It seems that if a super user changes the search path with ALTER 
USER/ROLE, then the user itself should not (assuming not an elevated 
privilege) should not be able to change it. Again, I get being able to 
do it with SET but a normal user shouldn't be able to reset a super user 
determined setting.

Shrug,

JD

> 
> David J.
> ​


-- 
Command Prompt, Inc. || http://the.postgres.company/ || @cmdpromptinc

PostgreSQL Centered full stack support, consulting and development.
Advocate: @amplifypostgres || Learn: https://pgconf.us
*****     Unless otherwise stated, opinions are my own.   *****


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers