Re: eval function - Mailing list pgsql-general
From | saeed ahmed |
---|---|
Subject | Re: eval function |
Date | |
Msg-id | CAK05ZxEfk++iobgY1stbrEy1zuQfDjwF2xQyssFC9qnWs-fAEg@mail.gmail.com Whole thread Raw |
In response to | Re: eval function (Chris Travers <chris.travers@gmail.com>) |
Responses |
Re: eval function
User Interface [was : eval function] |
List | pgsql-general |
i am new to postgresql and not very good in english language.i need help to understand,how i can make,(by using postgresql)something like microsofts access.i remebre you see a lot of buttons and functions.when you finish inserting some data,you have something permanent like a software that remains for ever.and everytime you need to insert new data ,you can simply. another example is openoffice's base.where you can make tables,queries and lot more. what i want to know is how can one use postgresql like microsoft access or openoffices base? 2011/7/31, Chris Travers <chris.travers@gmail.com>: >> Any security definer function should be designed with security in mind. >> That >> is the responsibility of the dba. You can't limit the dba in what he can >> do >> just in case he doesn't know what he is doing. You can suggest, but if the >> dba thinks he knows what he is doing, give him all the tools to do it. >> If the function can cause privilege escalation when not in a security >> definer function, then I would say there is a serious problem with the >> security system of the engine. Can you think of any possibility where a >> function would allow privilege escalation when it is not in a security >> definer function? > > No I can't. But you can actually prevent this problem by making the > function security definer. Something like: > > CREATE SCHEMA evaljail; > CREATE USER evaljail; > GRANT USAGE ON SCHEMA evaljail TO evaljail; > REVOKE CREATE ON SCHEMA evaljail FROM evaljail; > REVOKE USAGE ON SCHEMA public FROM evaljail; > CREATE FUNCTION evaljail.eval...... > ALTER FUNCTION evaljail.eval OWNER TO evaljail; > ALTER FUNCTION evaljail.eval SECURITY DEFINER; > > Now the function has no table access at all. > > > postgres=# select evaltest.eval('select * from public.test'); > ERROR: permission denied for schema public > LINE 1: select (select * from public.test)::text as res1 > ^ > QUERY: select (select * from public.test)::text as res1 > CONTEXT: PL/pgSQL function "eval" line 8 at EXECUTE statement > postgres=# select evaltest.eval('1 - 2'); > eval > ------ > -1 > (1 row) > > Best Wishes, > Chris Travers > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general >
pgsql-general by date: