Re: Security leak with trigger functions? - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: Security leak with trigger functions?
Date
Msg-id 4582D880.1060100@dunslane.net
Whole thread Raw
In response to Re: Security leak with trigger functions?  (Martijn van Oosterhout <kleptog@svana.org>)
List pgsql-hackers
Martijn van Oosterhout wrote:
> On Fri, Dec 15, 2006 at 11:52:33AM -0500, Andrew Dunstan wrote:
>   
>> Isn't the problem that they can do more than just things with the table? 
>> If the trigger runs as the owner of the table it can do *anything* the 
>> owner can do. So if we allow the alter privilege to include ability to 
>> place a trigger then that privilege includes everything the owner can do 
>> (including granting/revoking other privileges). Surely that is not what 
>> was intended. Arguably we should invent a concept of an explicit trigger 
>> owner.
>>     
>
> I thought the problem was the other way round. That some person created
> a function as SECURITY DEFINER but restricted EXECUTE permissions. And
> now anybody can create a table and use that function as a trigger and
> it will be executed even though neither the owner of the table nor the
> person executing the trigger has EXECUTE permissions.
>
> Triggers don't have owners because like you said, the table owner
> controls them. The point is that there's no check that the table owner
> is actually allowed to execute the function being used as trigger.
>
> The trigger never runs as the owner of the table AIUI, only ever as the
> definer of the function or as session user.
>
>
>   

OK, sorry for the confusion.

cheers

andrew



pgsql-hackers by date:

Previous
From: Martijn van Oosterhout
Date:
Subject: Re: Security leak with trigger functions?
Next
From: Tom Lane
Date:
Subject: Re: Security leak with trigger functions?