| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bryn Llewellyn <bryn(at)yugabyte(dot)com> |
| Cc: | pgsql-general list <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute" |
| Date: | 2022-02-11 20:59:46 |
| Message-ID: | 2176817.1644613186@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Bryn Llewellyn <bryn(at)yugabyte(dot)com> writes:
> If user "x" owns function "s.f()", and if you want user "z" to be able to execute it, then this alone is insufficient:
> grant execute on function s.f() to z;
> The attempt by "z" to execute "s.f()" this draws the 42501 error, "permission denied for schema s". But this _is_ sufficient:
> grant usage on schema s to z;
> revoke execute on function s.f() from z; -- Yes, really!
> *This surprises me*
It shouldn't. Per the docs, the default permissions on a function
include GRANT EXECUTE TO PUBLIC. Revoking the never-granted-in-the-
first-place permission to z doesn't remove the PUBLIC permission.
So, if you want to be selective about who can use your functions,
you should revoke the PUBLIC permission and then grant out
permissions to individual roles.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2022-02-11 21:00:15 | Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute" |
| Previous Message | Peter J. Holzer | 2022-02-11 20:53:40 | Re: Can we go beyond the standard to make Postgres radically better? |