| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com>, Ayush Vatsa <ayushvatsa1810(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Restricting Direct Access to a C Function in PostgreSQL |
| Date: | 2024-08-11 15:29:08 |
| Message-ID: | 3748638.1723390148@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Heikki Linnakangas <hlinnaka(at)iki(dot)fi> writes:
> Sounds complicated. I would go with the GRANT approach. Make my_func() a
> SECURITY DEFINER function, and revoke access to my_func_extended() for
> all other roles.
+1
> Another option to consider is to not expose my_func_extended() at the
> SQL level in the first place, and rewrite my_func() in C. Dunno how
> complicated the logic in my_func() is, if that makes sense.
Another way to think about that is "push down into C the part of
my_func() that you feel is necessary to make my_func_extended()
safely callable". Personally I'd probably change my_func_extended()
itself to do that, but if you feel a need to leave it alone, you
could write a C wrapper function. Anyway my point is you might
not have to move *all* of my_func()'s functionality into C. Think
about what it is exactly that makes you feel it's unsafe to call
my_func_extended() directly.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2024-08-11 16:33:30 | Re: tiny step toward threading: reduce dependence on setlocale() |
| Previous Message | Alena Rybakina | 2024-08-11 13:58:54 | Re: Vacuum statistics |