| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | depesz(at)depesz(dot)com, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Why security-definer functions are executable by public by default? |
| Date: | 2011-06-15 02:08:44 |
| Message-ID: | 201106150208.p5F28is27021@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tom Lane wrote:
> hubert depesz lubaczewski <depesz(at)depesz(dot)com> writes:
> > was pointed to the fact that security definer functions have the same
> > default privileges as normal functions in the same language - i.e. if
> > the language is trusted - public has the right to execute them.
>
> > maybe i'm missing something important, but given the fact that security
> > definer functions are used to get access to things that you usually
> > don't have access to - shouldn't the privilege be revoked by default,
> > and grants left for dba to decide?
>
> I don't see that that follows, at all. The entire point of a security
> definer function is to provide access to some restricted resource to
> users who couldn't get at it with their own privileges. Having it start
> with no privileges would be quite useless.
Sorry for the late reply, but isn't this exactly what we do when we
create schemas? We create them with owner-only permissions because it
closes a window of vunlerability if somone creates the schema and then
tries to lock it down later. Is the security-definer function a similar
case that should start as owner-only?
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Josh Kupershmidt | 2011-06-15 02:35:45 | Re: Executing \i of psql command using libpq library |
| Previous Message | Tatsuo Ishii | 2011-06-15 01:48:38 | LPI-Japan to start PostgreSQL certfication |