On Tue, Apr 5, 2011 at 3:45 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> hubert depesz lubaczewski <depesz@depesz.com> writes:
>> was pointed to the fact that security definer functions have the same
>> default privileges as normal functions in the same language - i.e. if
>> the language is trusted - public has the right to execute them.
>
>> maybe i'm missing something important, but given the fact that security
>> definer functions are used to get access to things that you usually
>> don't have access to - shouldn't the privilege be revoked by default,
>> and grants left for dba to decide?
>
> I don't see that that follows, at all. The entire point of a security
> definer function is to provide access to some restricted resource to
> users who couldn't get at it with their own privileges. Having it start
> with no privileges would be quite useless.
Agreed.
If somebody is creating a security definer function then they are
explicitly relaxing security. It's a little hard for people doing that
to say that they were not aware of security and forgot to issue GRANTs
to carefully define who got the new capability.
--
Simon Riggs http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services