| From: | Simon Riggs <simon(at)2ndQuadrant(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | depesz <depesz(at)depesz(dot)com>, pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Why security-definer functions are executable by public by default? |
| Date: | 2011-04-06 09:42:31 |
| Message-ID: | BANLkTinS9dsuar4+R+hWj3W5hO2yrNtRsg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Apr 5, 2011 at 3:45 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> hubert depesz lubaczewski <depesz(at)depesz(dot)com> writes:
>> was pointed to the fact that security definer functions have the same
>> default privileges as normal functions in the same language - i.e. if
>> the language is trusted - public has the right to execute them.
>
>> maybe i'm missing something important, but given the fact that security
>> definer functions are used to get access to things that you usually
>> don't have access to - shouldn't the privilege be revoked by default,
>> and grants left for dba to decide?
>
> I don't see that that follows, at all. The entire point of a security
> definer function is to provide access to some restricted resource to
> users who couldn't get at it with their own privileges. Having it start
> with no privileges would be quite useless.
Agreed.
If somebody is creating a security definer function then they are
explicitly relaxing security. It's a little hard for people doing that
to say that they were not aware of security and forgot to issue GRANTs
to carefully define who got the new capability.
--
Simon Riggs http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | tejas tank | 2011-04-06 10:51:49 | Critical Bug |
| Previous Message | Vibhor Kumar | 2011-04-06 09:31:11 | Re: Dumping functions with pg_dump |