Re: Security leak with trigger functions? - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Security leak with trigger functions?
Date
Msg-id 11788.1166203013@sss.pgh.pa.us
Whole thread Raw
In response to Re: Security leak with trigger functions?  (Martijn van Oosterhout <kleptog@svana.org>)
Responses Re: Security leak with trigger functions?  ("Florian G. Pflug" <fgp@phlo.org>)
List pgsql-hackers
Martijn van Oosterhout <kleptog@svana.org> writes:
> The trigger never runs as the owner of the table AIUI, only ever as the
> definer of the function or as session user.

Yeah.  This might itself be seen as a bug: I think you could make a
reasonable case that the default behavior ought to be to run as the
table owner (but still overridable if trigger function is SECURITY
DEFINER, of course).  In the current situation a table owner can use
a trigger function as a trojan horse against anyone modifying the
table.

And then there's the question of functions run as a result of rule
definitions.  That's a lot harder to fix, but (I think) triggers would
be relatively easy to do something about.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: Security leak with trigger functions?
Next
From: Tom Lane
Date:
Subject: Re: Operator class group proposal