Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers) - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)
Date
Msg-id 10451.1339470190@sss.pgh.pa.us
Whole thread Raw
In response to Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)  (Noah Misch <noah@leadboat.com>)
Responses Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)
List pgsql-hackers
Noah Misch <noah@leadboat.com> writes:
>> CREATE FUNCTION + ALTER FUNCTION OWNER TO is useful for creating another
>> user's untrusted-language SECURITY DEFINER function.  ALTER FUNCTION CALLED ON
>> NULL INPUT ought to require that the user be eligible to redefine the function
>> completely.

> Here's a patch implementing that restriction.  To clarify, I see no need to
> repeat *all* the CREATE-time checks; for example, there's no need to recheck
> permission to use the return type.  The language usage check is enough.

This seems bizarre and largely unnecessary.  As you stated to begin
with, granting ownership of a function implies some degree of trust.
I do not want to get into the business of parsing exactly which variants
of ALTER FUNCTION ought to be considered safe.  And I definitely don't
want to add a check that enforces restrictions against cases that have
got nothing whatever to do with C-language functions, as this patch
does.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Kyotaro HORIGUCHI
Date:
Subject: Re: Skip checkpoint on promoting from streaming replication
Next
From: Amit Kapila
Date:
Subject: Re: Resource Owner reassign Locks