Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute"

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Bryn Llewellyn <bryn(at)yugabyte(dot)com>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, jeremy(at)musicsmith(dot)net, pgsql-general list <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute"
Date: 2022-02-14 20:04:06
Message-ID: Ygq1tq62fHueyqBj@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Fri, Feb 11, 2022 at 05:05:20PM -0500, Tom Lane wrote:
> Bryn Llewellyn <bryn(at)yugabyte(dot)com> writes:
> > I confess that I'm surprised by the choice of the default behavior. It seems to be at odds with the principle of least privilege that insists that you actively opt in to any relevant privilege.
>
> I'd be the first to agree that this behavior sacrifices security
> principles for convenience. However, it's not that big a deal
> in practice, because functions that aren't SECURITY DEFINER can't
> do anything that the caller couldn't do anyway. You do need to
> be careful about the default PUBLIC grant if you're making a
> SECURITY DEFINER function, but that's a minority use-case.

How would you do that securely? Create the function and set its
permissions in a transaction block?

> (I wonder if it'd be practical or useful to emit a warning when
> granting permissions on an object that already has a grant of
> the same permissions to PUBLIC. That would at least cue people
> who don't understand about this behavior that they ought to look
> more closely.)

Agreed.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

If only the physical world exists, free will is an illusion.

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Rob Sargent 2022-02-14 20:08:42 Does the postgres jdbc driver (rev 42.3) cache prepared statements
Previous Message Glen Eustace 2022-02-14 19:58:52 Re: Moving the master to a new server