Re: Why security-definer functions are executable by public by default? - Mailing list pgsql-general

From Bruce Momjian
Subject Re: Why security-definer functions are executable by public by default?
Date
Msg-id 201106150208.p5F28is27021@momjian.us
Whole thread Raw
In response to Re: Why security-definer functions are executable by public by default?  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-general
Tom Lane wrote:
> hubert depesz lubaczewski <depesz@depesz.com> writes:
> > was pointed to the fact that security definer functions have the same
> > default privileges as normal functions in the same language - i.e. if
> > the language is trusted - public has the right to execute them.
>
> > maybe i'm missing something important, but given the fact that security
> > definer functions are used to get access to things that you usually
> > don't have access to - shouldn't the privilege be revoked by default,
> > and grants left for dba to decide?
>
> I don't see that that follows, at all.  The entire point of a security
> definer function is to provide access to some restricted resource to
> users who couldn't get at it with their own privileges.  Having it start
> with no privileges would be quite useless.

Sorry for the late reply, but isn't this exactly what we do when we
create schemas?  We create them with owner-only permissions because it
closes a window of vunlerability if somone creates the schema and then
tries to lock it down later.  Is the security-definer function a similar
case that should start as owner-only?

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +

pgsql-general by date:

Previous
From: Tatsuo Ishii
Date:
Subject: LPI-Japan to start PostgreSQL certfication
Next
From: Josh Kupershmidt
Date:
Subject: Re: Executing \i of psql command using libpq library