| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | Dave Fennell <dave(at)microtux(dot)co(dot)uk> |
| Cc: | pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #6076: Unexpected "Security Definer / invoker" interaction |
| Date: | 2011-06-24 18:28:46 |
| Message-ID: | 1308939809-sup-2803@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Excerpts from Dave Fennell's message of vie jun 24 10:48:40 -0400 2011:
> Not sure if this is a bug or possibly just undocumented (or unclearly
> documented) behaviour but the interaction of functions defined as "security
> definer" and functions defined as "security invoker" is not what I would
> expect.
>
> I would expect that if a function defined as "security definer" calls a
> function defined as "security invoker" the "invoker" role used would be the
> "definer" of the first function? However it appears that the *actual*
> invoker (current user) is used.
I think your problem is that you need an explicit SET ROLE to sub1
before calling sub1.func2(). Alternatively you could set up global so
that it "inherits" (which would automatically give it the privileges
that both sub1 and sub2 have).
There doesn't seem to be a bug here.
--
Álvaro Herrera <alvherre(at)commandprompt(dot)com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
| From | Date | Subject | |
|---|---|---|---|
| Next Message | jose javier cabrera centeno | 2011-06-26 05:27:47 | BUG #6078: borrar usuario |
| Previous Message | Антон Степаненко | 2011-06-24 16:55:31 | Re: could not read block XXXXX in file "base/YYYYY/ZZZZZZ": read only 160 of 8192 bytes |