Re: security permissions for functions - Mailing list pgsql-general

From Ted Byers
Subject Re: security permissions for functions
Date
Msg-id 0a5501c7620a$6a858a00$6401a8c0@RnDworkstation
Whole thread Raw
In response to security permissions for functions  (Rikard Pavelic <rikard.pavelic@zg.htnet.hr>)
Responses Re: security permissions for functions
List pgsql-general
>
> Functions are controlled by the same ACL mechanism that tables and
> everything
> else follows.  Thus you have the idea of "user id X may do Y with object
> Z"
> i.e. "user "barbara" may "execute" function "somefunction()".
>
> But there's no real way to alter those permissions outside of changing the
> user ID context.
>

So, I should be able to have "user "barbara" "execute" function
"somefunction()", but, though barbara must not have access of object alpha
lets say for data security reasons (and user sarah does), I could have
function somefunction invoke another function that stores information about
barbara's action to object alpha by changing user context temporarily and
without barbara's knowledge; basically saying within function
"somefunction()" something like "execute function 'someotherfunction()'
impersonating sarah and stop impersonating sarah once someotherfunction
returns.  Much like the way I can log in to Windows or Linux as one user and
temporarily impersonate another while executing a particular program or
administrative function (e,g, log into Linux as a mere mortal, start a bash
shell providing credentials for an admin account, do my admin type stuff and
then close the shell).

Or have I misunderstood you here WRT user ID context?

Ted



pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: Weird behaviour on a join with multiple keys
Next
From: Tom Lane
Date:
Subject: Re: OT: Canadian Tax Database