On Wed, Jul 16, 2014 at 07:45:56PM -0400, Tom Lane wrote:
> A look at check_object_ownership suggests that you could take the TRIGGER
> case out of the generic relation path and make it a special case that
> allows either ownership or TRIGGER permission.
>
> TBH, though, I'm not sure this is something to pursue. We discussed all
> this back in 2006. As I pointed out at the time, giving somebody TRIGGER
> permission is tantamount to giving them full control of your account:
> http://www.postgresql.org/message-id/21827.1166115978@sss.pgh.pa.us
> because they can install a trigger that will execute arbitrary code with
> *your* privileges the next time you modify that table.
>
> I think we should get rid of the separate TRIGGER privilege altogether,
> not make it an even bigger security hole.
Uh, how does removing a trigger cause a larger security hole? As long
as users can create triggers, removal seems logical.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ Everyone has their own god. +
