From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
Cc: | Albe Laurenz <all(at)adv(dot)magwien(dot)gv(dot)at>, Peter Eisentraut *EXTERN* <peter_e(at)gmx(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Security leak with trigger functions? |
Date: | 2006-12-15 17:16:48 |
Message-ID: | 4582D880.1060100@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Martijn van Oosterhout wrote:
> On Fri, Dec 15, 2006 at 11:52:33AM -0500, Andrew Dunstan wrote:
>
>> Isn't the problem that they can do more than just things with the table?
>> If the trigger runs as the owner of the table it can do *anything* the
>> owner can do. So if we allow the alter privilege to include ability to
>> place a trigger then that privilege includes everything the owner can do
>> (including granting/revoking other privileges). Surely that is not what
>> was intended. Arguably we should invent a concept of an explicit trigger
>> owner.
>>
>
> I thought the problem was the other way round. That some person created
> a function as SECURITY DEFINER but restricted EXECUTE permissions. And
> now anybody can create a table and use that function as a trigger and
> it will be executed even though neither the owner of the table nor the
> person executing the trigger has EXECUTE permissions.
>
> Triggers don't have owners because like you said, the table owner
> controls them. The point is that there's no check that the table owner
> is actually allowed to execute the function being used as trigger.
>
> The trigger never runs as the owner of the table AIUI, only ever as the
> definer of the function or as session user.
>
>
>
OK, sorry for the confusion.
cheers
andrew
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2006-12-15 17:16:53 | Re: Security leak with trigger functions? |
Previous Message | Martijn van Oosterhout | 2006-12-15 17:01:23 | Re: Security leak with trigger functions? |