| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | "Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch>, Joe Conway <mail(at)joeconway(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: AW: [Extern] Re: PG16.1 security breach? |
| Date: | 2024-06-07 14:32:44 |
| Message-ID: | 6d223a4891287cfb08b720103faef2da1b5719f3.camel@cybertec.at |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, 2024-06-07 at 13:54 +0000, Zwettler Markus (OIZ) wrote:
> > Another point to keep in mind is that by default, execute privilege is granted to
> > PUBLIC for newly created functions (see Section 5.7 for more information).
>
> Argh. No! What a bad habit!
>
> Might be good idea for an enhancement request to create a global parameter to disable this habit.
I don't see the problem, since the default execution mode for functions is
SECURITY INVOKER.
But you can easily change that:
ALTER DEFAULT PRIVILEGES FOR ROLE function_creator REVOKE EXECUTE ON FUNCTION FROM PUBLIC;
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2024-06-07 14:35:58 | Re: AW: [Extern] Re: PG16.1 security breach? |
| Previous Message | David G. Johnston | 2024-06-07 14:16:04 | Re: PG16.1 security breach? |