Re: Why is EXECUTE granted to PUBLIC for all routines? - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Why is EXECUTE granted to PUBLIC for all routines?
Date
Msg-id 3707734.1650649480@sss.pgh.pa.us
Whole thread Raw
In response to Why is EXECUTE granted to PUBLIC for all routines?  (Jacek Trocinski <jacek@hedgehog.app>)
Responses Re: Why is EXECUTE granted to PUBLIC for all routines?
List pgsql-hackers
Jacek Trocinski <jacek@hedgehog.app> writes:
> The default behavior on Postgres is to grant EXECUTE to PUBLIC on any
> function or procedure that is created.

> I feel this this is a security concern, especially for procedures and
> functions defined with the "SECURITY DEFINER" clause.

There is zero security concern for non-SECURITY-DEFINER functions,
since they do nothing callers couldn't do for themselves.  For those,
you typically do want to grant out permissions.  As for SECURITY DEFINER
functions, there is no reason to make one unless it is meant to be called
by someone besides the owner.  Perhaps PUBLIC isn't the scope you want to
grant it to, but no-privileges wouldn't be a useful default there either.

In any case, changing this decision now would cause lots of problems,
such as breaking existing dump files.  We're unlikely to revisit it.

As noted in the docs, best practice is to adjust the permissions
as you want them in the same transaction that creates the function.

            regards, tom lane



pgsql-hackers by date:

Previous
From: Jacek Trocinski
Date:
Subject: Why is EXECUTE granted to PUBLIC for all routines?
Next
From: Andres Freund
Date:
Subject: Re: Postgres perl module namespace