Home > mailing lists

Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute" - Mailing list pgsql-general

From	Tom Lane
Subject	Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute"
Date	February 11, 2022 23:59:46
Msg-id	2176817.1644613186@sss.pgh.pa.us Whole thread Raw
In response to	"grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute" (Bryn Llewellyn <bryn@yugabyte.com>)
List	pgsql-general

Tree view

Bryn Llewellyn <bryn@yugabyte.com> writes:
> If user "x" owns function "s.f()", and if you want user "z" to be able to execute it, then this alone is
insufficient:

> grant execute on function s.f() to z;

> The attempt by "z" to execute "s.f()" this draws the 42501 error, "permission denied for schema s". But this _is_
sufficient:

> grant usage on schema s to z;
> revoke execute on function s.f() from z; -- Yes, really!

> *This surprises me*

It shouldn't.  Per the docs, the default permissions on a function
include GRANT EXECUTE TO PUBLIC.  Revoking the never-granted-in-the-
first-place permission to z doesn't remove the PUBLIC permission.

So, if you want to be selective about who can use your functions,
you should revoke the PUBLIC permission and then grant out
permissions to individual roles.

            regards, tom lane

pgsql-general by date:

From: "Peter J. Holzer"
Date: 11 February 2022, 23:53:40
Subject: Re: Can we go beyond the standard to make Postgres radically better?

From: "David G. Johnston"
Date: 12 February 2022, 00:00:15
Subject: Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute"

Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute" - Mailing list pgsql-general

Previous

Next