From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
---|---|
To: | Pascal Meunier <pmeunier(at)cerias(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Jim C(dot) Nasby" <jimn(at)enterprisedb(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: minor feature request: Secure defaults during |
Date: | 2006-09-18 21:00:01 |
Message-ID: | 20060918210000.GI8796@svana.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Sep 18, 2006 at 02:49:23PM -0400, Pascal Meunier wrote:
> regardless of the outcome. Moreover, I'd rather be a carpet to the
> PostgreSQL developers than be cited as the cause for a security improvement
> not being made, due to having antagonized so much the developers. Please,
> consider the issue and not the silly messenger.
The problem is that the issue is rather more complicated than you let
on. Backward compatability is a big deal. The principle of least
surprise also dictates that whatever default permissions are chosen
should be the same for every function and not depend on various
attributes.
By your reasoning we should also have different default permissions if
the function is in an untrusted language, or if the language doesn't
have a validator. Where do you draw the line?
Someone writing SECURITY DEFINER in their function definition has to be
understood to know what they're doing. After all, "chmod +s" doesn't
reset global execute permissions either, because that would be far too
confusing. The same applies here IMHO. The whole point is to be
executed by other users.
We need much stronger arguments than what's been given so far.
Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.
From | Date | Subject | |
---|---|---|---|
Next Message | Walter Cruz | 2006-09-18 21:00:22 | pdfs of the conference |
Previous Message | Tom Lane | 2006-09-18 20:57:51 | Re: 8.2 beta blockers |