Re: Creating functions and triggers - Mailing list pgsql-general

From Bruno Wolff III
Subject Re: Creating functions and triggers
Date
Msg-id 20030513192018.GA21642@wolff.to
Whole thread Raw
In response to Re: Creating functions and triggers  (Network Administrator <netadmin@vcsn.com>)
Responses Re: Creating functions and triggers
List pgsql-general
On Tue, May 13, 2003 at 14:16:52 -0400,
  Network Administrator <netadmin@vcsn.com> wrote:
> We're saying the same thing- non-admin user (superusers) can only install
> untrusted languages.  However, I didn't know you could grant rights to a
> untrusted function.  That is interesting because I thought the language's
> trusted status was based on who owned the database. For instance, if I installed
> Perl as untrusted into template1 wouldn't any user database based I create for
> regular users (as the superuser but making them the database owner) run PL/Perl
>  functions as trusted?

The access right for languages is USAGE. I believe this is granted to
public by default when a trusted language is created. For untrusted
languages you can't grant usage. If you don't have usage access to
a language, you can't create functions using that language. Since
a normal user can't get usage access to an untrusted language a normal
user can't create functions that use untrusted languages.
Note that in older versions of postgres the same restriction was there,
but things worked a little differently as there was no language
version of the grant command.

>
> The initial reason for my post is that I [thought] I saw some talk about writing
> files as using PL/Perl instead of PL/Sh and I thought PL/Perl did not allow
> regular users to write files to the file system, no?

I haven't played with PL/Perl myself, but I do believe that there are
both trusted and untrusted versions of that. Presumably the untrusted
one would have full access to perl and be able to write to files.


pgsql-general by date:

Previous
From: Juan Rojas
Date:
Subject: psql errors
Next
From: DeJuan Jackson
Date:
Subject: Re: Querying the last value of all sequences