| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Noah Misch <noah(at)leadboat(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers) |
| Date: | 2012-06-12 03:03:10 |
| Message-ID: | 10451.1339470190@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Noah Misch <noah(at)leadboat(dot)com> writes:
>> CREATE FUNCTION + ALTER FUNCTION OWNER TO is useful for creating another
>> user's untrusted-language SECURITY DEFINER function. ALTER FUNCTION CALLED ON
>> NULL INPUT ought to require that the user be eligible to redefine the function
>> completely.
> Here's a patch implementing that restriction. To clarify, I see no need to
> repeat *all* the CREATE-time checks; for example, there's no need to recheck
> permission to use the return type. The language usage check is enough.
This seems bizarre and largely unnecessary. As you stated to begin
with, granting ownership of a function implies some degree of trust.
I do not want to get into the business of parsing exactly which variants
of ALTER FUNCTION ought to be considered safe. And I definitely don't
want to add a check that enforces restrictions against cases that have
got nothing whatever to do with C-language functions, as this patch
does.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2012-06-12 04:30:57 | Re: Resource Owner reassign Locks |
| Previous Message | Kyotaro HORIGUCHI | 2012-06-12 02:38:31 | Re: Skip checkpoint on promoting from streaming replication |