Postgres Pro
Downloads
Home   >   mailing lists

Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers) - Mailing list pgsql-hackers

From Kevin Grittner
Subject Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)
Date
Msg-id 4FD7599D0200002500048391@gw.wicourts.gov
Whole thread Raw
In response to Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)
List pgsql-hackers
Tree view 
Tom Lane <tgl@sss.pgh.pa.us> wrote:
> A less bizarre and considerably more future-proof restriction,
> IMO, would simply refuse any attempt to give ownership of a C
> function to a non-superuser.
We have C replication trigger functions where this would be a bad
thing.  They can't work properly as SECURITY INVOKER, and I see it
as a big step backwards in security to make the only other option
SECURITY DEFINER with a superuser as the owner.  It's not too hard
to come up with other use cases where you want to grant one class of
users rights to do something only through a certain function, not
directly.
So there is clearly a need to support ownership of functions,
including C functions, by users who are effectively at an
"intermediate" level of trust.  We could conceivably use the
database owner for that role, but that seem unnecessarily limiting.
-Kevin

pgsql-hackers by date:

Previous
From: Dusan Misic
Date:
Subject: Re: Possible error in psql or Postgres?
Next
From: Tom Lane
Date:
Subject: Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)