From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Keith Fiske <keith(at)omniti(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Allow GRANT TRIGGER privilege to DROP TRIGGER (Re: Bug ##7716) |
Date: | 2014-07-30 21:20:25 |
Message-ID: | 14211.1406755225@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Bruce Momjian <bruce(at)momjian(dot)us> writes:
> On Wed, Jul 16, 2014 at 07:45:56PM -0400, Tom Lane wrote:
>> I think we should get rid of the separate TRIGGER privilege altogether,
>> not make it an even bigger security hole.
> Uh, how does removing a trigger cause a larger security hole? As long
> as users can create triggers, removal seems logical.
It's bigger in the sense that you can not only add arbitrary actions,
but remove actions that the table owner intended to have happen.
For example, the ability to temporarily suppress entries in a logging
table (by dropping the trigger that makes them, and then putting the
trigger back later to cover one's tracks) could be of considerable use
to a black hat.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Thomas Munro | 2014-07-30 21:29:18 | Re: SKIP LOCKED DATA (work in progress) |
Previous Message | Bruce Momjian | 2014-07-30 21:17:55 | Re: Making joins involving ctid work for the benefit of UPSERT |