KaiGai Kohei wrote:
> I wonder why the vanilla PostgreSQL does not put pg_proc_aclcheck()
> on the ExecCallTriggerFunc().
I don't think we can assume any trigger functions are "trusted",
because normal users with ACL_TRIGGER privilege can set their
procedures on the allowed tables.
It also means someone without ACL_EXECUTE to invoke the functions,
but I cannot believe ACL_TRIGGER implicitly contains such a meaning.
Indeed, I put a hook to check db_procedure:{execute} permission
in SELinux, but putting pg_proc_aclcheck() here is meaningful
not only SE-PostgreSQL users.
I found another matter related to triggers.
I'll report it on another messages.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
*** src/backend/commands/trigger.c (revision 1704)
--- src/backend/commands/trigger.c (working copy)
***************
*** 1560,1566 ****
--- 1560,1576 ----
* call.
*/
if (finfo->fn_oid == InvalidOid)
+ {
+ AclResult aclresult;
+
+ aclresult = pg_proc_aclcheck(trigdata->tg_trigger->tgfoid,
+ GetUserId(), ACL_EXECUTE);
+ if (aclresult != ACLCHECK_OK)
+ aclcheck_error(aclresult, ACL_KIND_PROC,
+ get_func_name(trigdata->tg_trigger->tgfoid));
+
fmgr_info(trigdata->tg_trigger->tgfoid, finfo);
+ }
Assert(finfo->fn_oid == trigdata->tg_trigger->tgfoid);