| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: Permissions on aggregate component functions |
| Date: | 2005-01-27 21:42:06 |
| Message-ID: | 20050127214206.GA8250@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Jan 27, 2005 at 15:27:54 -0500,
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> I just noticed that there is no permission check anywhere in CREATE
> AGGREGATE concerning the aggregate's transition and final functions.
> This means anyone can trivially bypass the function EXECUTE permission
> check: just make an aggregate function to call it for you. (Now, this
> works only for functions whose signature fits what an aggregate
> expects, but for most one- and two-argument functions you can do it.)
>
> Clearly this is a must-fix issue, but I'm wondering exactly where the
> check should be enforced. Is it sufficient to check at the time of
> CREATE AGGREGATE that the creator has appropriate rights, or do we need
> to do it every time the aggregate is used?
I would think both would be best. If you don't check at runtime the function
owner can't easily revoke access (dropping the function might be a pain
if it is used in lots of places). It is nice to check at creation so as
to give immediate feedback if there is a problem.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marc G. Fournier | 2005-01-27 21:51:17 | Re: Security Release Packaging ... |
| Previous Message | Mark Wong | 2005-01-27 21:30:25 | Re: [HACKERS] WAL: O_DIRECT and multipage-writer |