| From: | Noah Misch <noah(at)leadboat(dot)com> |
|---|---|
| To: | hubert depesz lubaczewski <depesz(at)depesz(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Why security-definer functions are executable by public by default? |
| Date: | 2011-04-07 02:47:50 |
| Message-ID: | 20110407024750.GA23706@tornado.gateway.2wire.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Apr 05, 2011 at 08:41:21AM +0200, hubert depesz lubaczewski wrote:
> was pointed to the fact that security definer functions have the same
> default privileges as normal functions in the same language - i.e. if
> the language is trusted - public has the right to execute them.
That default applies to untrusted-language functions as well, and I don't think
individual languages can override it.
> maybe i'm missing something important, but given the fact that security
> definer functions are used to get access to things that you usually
> don't have access to - shouldn't the privilege be revoked by default,
> and grants left for dba to decide?
Agreed. The SECURITY DEFINER property would remain superfluous until you GRANT
the function to a suitable audience, but that seems preferable to presuming that
the universal audience is suitable. In other words, I'd rather have the user
who hasn't thought this through get permission failures until he does. Likewise
for functions implemented in untrusted languages.
At least, that's what I'd prefer for a greenfield.
nm
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2011-04-07 02:50:58 | Re: Critical Bug |
| Previous Message | Yang Zhang | 2011-04-07 02:05:47 | Attaching/detaching tablespaces (or, in general, parts of a DB) |