Re: setuid for defaults, constraints and triggers (Was: What user to [sic] defaults execute as?)

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: Rod Taylor <rbt(at)rbt(dot)ca>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: setuid for defaults, constraints and triggers (Was: What user to [sic] defaults execute as?)
Date: 2002-10-31 17:15:16
Message-ID: 20021031171516.GA13574@wolff.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

On Thu, Oct 31, 2002 at 11:15:31 -0500,
Rod Taylor <rbt(at)rbt(dot)ca> wrote:
>
> Yes, default expressions and check constraints could possibly. However,
> both revoke complex expressions (no sub-selects, etc) so there is little
> point.

I disagree. They can call functions which can do unexpected things.
In particular calling nextval in default expressions is common. I think
it is also reasonable that the owner of the table and sequence may
not want people resetting the value of a sequence, while still wanting
them to be able to use nextval when inserting records.

> Functions can already suid if you are using them in check constraints
> for complex lookups.

Yes, and this is a good idea that can be used now. However I think it
would also be a good idea, if users couldn't get burned by running
unexpected functions when modifying tables owned by others. In reality
it will be rare when you would have mutually untrusted people having
this kind of interaction.

> An ASSERTION may be appropriate for suid, as would REFERENCES -- but
> only when explicitly asked for, and those should run as the constraint
> owner NOT as the table owner.

References is already handled using the REFERENCES privilege.

I am a bit confused by the constraint ownership. As far as I can tell
constraints can only be created by the table owner using create table
or alter table. I think that constraints are actually implemented with
triggers. I beleive that triggers do have owners. I also think that triggers
should be run with the access of the trigger owner.

I don't know how hard this would be to do. 7.3 does have setuid type effects
for running rules and optionally usuable for functions. So my uninformed
guess would be that it isn't too hard.

In response to

Browse pgsql-general by date

  From Date Subject
Next Message climbingboulder 2002-10-31 17:26:29 shell environment control within psql
Previous Message Rod Taylor 2002-10-31 16:15:31 Re: setuid for defaults, constraints and triggers (Was:

Browse pgsql-hackers by date

  From Date Subject
Next Message Pedro M. Ferreira 2002-10-31 17:41:58 Re: float output precision questions
Previous Message Tom Lane 2002-10-31 17:04:41 Re: Test of PG7.3.2b2 on SGI Irix