Thanks to Jeff's recent work with commits 2af07e2 and 59825d1, the issue
that led to the revert of the MAINTAIN privilege and the pg_maintain
predefined role (commit 151c22d) should now be resolved. Specifically,
there was a concern that roles with the MAINTAIN privilege could use
search_path tricks to run arbitrary code as the table owner. Jeff's work
prevents this by restricting search_path to a known safe value when running
maintenance commands. (This approach and others were discussed on the
lists quite extensively, and it was also brought up at the developer
meeting at FOSDEM [0] earlier this year.)
Given this, I'd like to finally propose un-reverting MAINTAIN and
pg_maintain. I created a commitfest entry for this [1] a few weeks ago and
attached it to Jeff's search_path thread, but I figured it would be good to
create a dedicated thread for this, too. The attached patch is a straight
revert of commit 151c22d except for the following small changes:
* The catversion bump has been removed for now. The catversion will need
to be bumped appropriately if/when this is committed.
* The OID for the pg_maintain predefined role needed to be changed. The
original OID has been reused for something else since this feature was
reverted.
* The change in AdjustUpgrade.pm needed to be updated to check for
"$old_version < 17" instead of "$old_version < 16".
Thoughts?
[0]
https://wiki.postgresql.org/wiki/FOSDEM/PGDay_2024_Developer_Meeting#The_Path_to_un-reverting_the_MAINTAIN_privilege
[1] https://commitfest.postgresql.org/47/4836/
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com