"Roberts, Jon" <Jon.Roberts@asurion.com> writes:
> <soapbox>
> Executing a function should never require privileges on the underlying
> objects referenced in it. The function should always run with the rights of
> the owner of the function, not the user executing it.
> </soapbox>
You might want to climb off that soapbox for long enough to read the
various security-related threads that have been in this mailing list
over the past year or so. Security-definer functions are seriously
at risk from trojan-horse exploits; particularly in an extensible system
such as Postgres.
Certainly there are cases where you want a function to change privilege
levels as sketched above. But I'd argue that there are a huge number
of cases where a function is just providing convenient shorthand for
something the caller could do for himself --- and when that's the case,
making it have more/different privileges from the caller is simply
taking a risk for no reward.
regards, tom lane
