| From: | Michael Fuhr <mike(at)fuhr(dot)org> |
|---|---|
| To: | Paul Mackay <mackaypaul(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Utility of GRANT EXECUTE |
| Date: | 2006-03-14 08:40:28 |
| Message-ID: | 20060314084028.GA94509@winnie.fuhr.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Mar 14, 2006 at 09:24:52AM +0100, Paul Mackay wrote:
> It seems that any user has the right to execute a function, whether or not
> it has been granted the EXECUTE privilege on it. Even a REVOKE EXECUTE has
> no impact. A privilige error will be raised only if the function tries to
> access an object (ex.: a table) for witch the user doesn't have the
> appropriate privilege(s).
Revoking EXECUTE from an individual user has no effect if public
still has privileges, which is does by default.
> Is there any utility to the GRANT EXECUTE then ?
If you revoke public's privileges then GRANT EXECUTE has an effect.
test=> create function foo() returns integer as 'select 1' language sql;
CREATE FUNCTION
test=> revoke all on function foo() from public;
REVOKE
test=> grant execute on function foo() to user1;
GRANT
test=> \c - user1
You are now connected as new user "user1".
test=> select foo();
foo
-----
1
(1 row)
test=> \c - user2
You are now connected as new user "user2".
test=> select foo();
ERROR: permission denied for function foo
--
Michael Fuhr
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Paul Mackay | 2006-03-14 08:57:54 | Re: Utility of GRANT EXECUTE |
| Previous Message | Paul Mackay | 2006-03-14 08:24:52 | Utility of GRANT EXECUTE |