| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Albe Laurenz <all(at)adv(dot)magwien(dot)gv(dot)at> |
| Cc: | Peter Eisentraut *EXTERN* <peter_e(at)gmx(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Security leak with trigger functions? |
| Date: | 2006-12-15 16:52:33 |
| Message-ID: | 4582D2D1.7020506@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Albe Laurenz wrote:
> Looking at pg_trigger I have the impression that there is no such thing
> as an 'owner of a trigger', and consequently the owner of the trigger
> would automatically be the table owner.
>
> I understand the reservations about the TRIGGER privilege, but I think
> that it is obvious anyway that anybody who can add a trigger can
> basically do everything with the table.
>
>
Isn't the problem that they can do more than just things with the table?
If the trigger runs as the owner of the table it can do *anything* the
owner can do. So if we allow the alter privilege to include ability to
place a trigger then that privilege includes everything the owner can do
(including granting/revoking other privileges). Surely that is not what
was intended. Arguably we should invent a concept of an explicit trigger
owner.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2006-12-15 16:54:56 | pgsql: Put JST back into the default set of timezone abbreviations; was |
| Previous Message | Tom Lane | 2006-12-15 16:37:56 | Re: invalid input syntax for type timestamp. |