Re: Strange permission effect depending on DEFERRABILITY

From: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
To: Achilleas Mantzios - cloud <a(dot)mantzios(at)cloud(dot)gatewaynet(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: Re: Strange permission effect depending on DEFERRABILITY
Date: 2024-09-10 17:22:00
Message-ID: 363f99f669d19bbb2776aa0b7f6b0d991d11d323.camel@cybertec.at
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Tue, 2024-09-10 at 12:20 +0300, Achilleas Mantzios - cloud wrote:
> On 9/10/24 00:09, Laurenz Albe wrote:
> > On Mon, 2024-09-09 at 16:14 +0300, Achilleas Mantzios - cloud wrote:
> > > The below runs on PostgreSQL 16.4
> > >
> > > We are trying to implement a certain operation based on a security definer
> > > function : mariner_update_availability_date
> > >
> > > This is supposed to update a table : mariner , which has several other triggers :
> > >
> > > [...]
> > >   zzzmariner_dmq_tg AFTER INSERT OR DELETE OR UPDATE ON mariner DEFERRABLE INITIALLY DEFERRED FOR EACH ROW EXECUTE FUNCTION export_dmq()
> > >
> > > As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger.
> > > This function mariner_update_availability_date is supposed to be run by a user :
> > > cbt_results_import stripped of any privileges to the rest of the system. Here is
> > > what we get : when we SET the constraint of the last trigger to IMMEDIATE, the
> > > function runs on behalf of its owner (postgres) who has all needed privileges
> > > (as superuser) to run the update on mariner table and also run the triggers .
> > > However, when we run with this CONSTRAINT as DEFERRED then it seems to NOT run
> > > the last deferrable trigger as postgres.
> > >
> > I have proposed a patch that fixes exactly that case:
> > https://commitfest.postgresql.org/49/4888/
> >
> > So far, the feedback seems to be that it is not considered a bug.
> > But that doesn't mean that we cannot change the behavior.
>
> Nice work! However I am not sure. What's a trigger owner btw in the
> thread :
> ? Do they mean the table owner? is the trigger creator / owner stored
> somewhere ? I dont see it in system tables or the schema dump. Or do
> they imply the trigger function owner ?

The owner of a trigger is always the owner of the table.

> Maybe controlling the queued and later executed trigger invocations
> security context via a new special GUC? such as :
>
> trigger_security_ctx = current_user (default) | table/trigger_owner |
> execution_triggered_user
>
> (in every case a SECURITY DEFINER function would override the above setting)

The PostgreSQL project has made bad experiences with parameters that change
the semantics of SQL statements, so I think that idea will meet resistance.

Besides, what I am proposing in the patch is not to use the owner of the
table, but the current_user at the time that the trigger is queued.

I had the impression that that is what you are looking for.
Executing as table owner can easily be done with a SECURITY DEFINER function.

Yours,
Laurenz Albe

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Achilleas Mantzios 2024-09-10 17:41:32 Re: Strange permission effect depending on DEFERRABILITY
Previous Message Rich Shepard 2024-09-10 16:46:39 Re: Removing duplicate rows in table