Hello hackers,
Currently PostgreSQL only allows creating event triggers for superusers, this prevents usage on PostgreSQL service providers, which do not grant superuser access.
This patch allows database owners to create event triggers, while preventing privilege escalation.
Unlike superuser event triggers, which execute functions for every role, database owner event triggers are only executed for non-superusers.
This is necessary to prevent privesc. i.e. a superuser tripping on an event trigger containing an `ALTER ROLE dbowner SUPERUSER`.
For skipping dbowner event triggers for superusers:
- A restriction is added for superuser event triggers, the event trigger function must be owned by a superuser.
+ While this is a breaking change, I think it's minor as the usual flow is to "login as superuser" -> "create an evtrig function" -> "create the evtrig". This is also proved by the existing tests, which barely change.
- A restriction is added for dbowner event triggers, the event trigger function must not be owned by a superuser.
This way we can filter dbowner event trigger functions inside `EventTriggerInvoke`.
Tests are included in the patch, I've added a dedicated regression file for easier review. Only a couple of error messages of the existing event trigger regression tests are changed.
Any feedback is welcomed. I haven't added docs yet but I'll gladly add them if the community thinks this patch makes sense.
Best regards,
Steve Chavez
