Home > mailing lists

Re: BUG #6076: Unexpected "Security Definer / invoker" interaction - Mailing list pgsql-bugs

From	Alvaro Herrera
Subject	Re: BUG #6076: Unexpected "Security Definer / invoker" interaction
Date	June 24, 2011 18:29:02
Msg-id	1308939809-sup-2803@alvh.no-ip.org Whole thread Raw
In response to	BUG #6076: Unexpected "Security Definer / invoker" interaction ("Dave Fennell" <dave@microtux.co.uk>)
List	pgsql-bugs

Tree view

Excerpts from Dave Fennell's message of vie jun 24 10:48:40 -0400 2011:

> Not sure if this is a bug or possibly just undocumented (or unclearly
> documented) behaviour but the interaction of functions defined as "security
> definer" and functions defined as "security invoker" is not what I would
> expect.
>
> I would expect that if a function defined as "security definer" calls a
> function defined as "security invoker" the "invoker" role used would be the
> "definer" of the first function? However it appears that the *actual*
> invoker (current user) is used.

I think your problem is that you need an explicit SET ROLE to sub1
before calling sub1.func2().  Alternatively you could set up global so
that it "inherits" (which would automatically give it the privileges
that both sub1 and sub2 have).

There doesn't seem to be a bug here.

--
Ãlvaro Herrera <alvherre@commandprompt.com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

pgsql-bugs by date:

From: Антон Степаненко
Date: 24 June 2011, 17:03:10
Subject: Re: could not read block XXXXX in file "base/YYYYY/ZZZZZZ": read only 160 of 8192 bytes

From: "Dmitry Grebeniuk"
Date: 25 June 2011, 00:12:55
Subject: BUG #6077: documentation on PQfmod for numeric data types

Re: BUG #6076: Unexpected "Security Definer / invoker" interaction - Mailing list pgsql-bugs

Previous

Next