Home > mailing lists

Re: BUG #13651: trigger security invoker attack - Mailing list pgsql-bugs

From	David G. Johnston
Subject	Re: BUG #13651: trigger security invoker attack
Date	September 30, 2015 15:59:41
Msg-id	CAKFQuwZb7s3_gTLLQhVNsTxRD1vqqDm_L9zJVRM13f5LCEh1uA@mail.gmail.com Whole thread Raw
In response to	BUG #13651: trigger security invoker attack (digoal@126.com)
List	pgsql-bugs

Tree view

On Wed, Sep 30, 2015 at 3:02 AM, =E5=BE=B7=E5=93=A5 <digoal@126.com> wrote:

> HI,
> If we can change the function's security dynamical, like :
>     When function trigged in trigger or rule, force these function's
> security =3D  table,mview,view's owner.
> There will no risks in the case.
>
> PS: MySQL do that.
>

=E2=80=8BIOW: "=E2=80=8B
Relations that are used due to rules get checked against the privileges of
the rule owner, not the user invoking the rule
=E2=80=8B." should apply to functions as well.

=E2=80=8Bhttp://www.postgresql.org/docs/9.4/static/rules-privileges.html

I would agree and thought they did but your most example does seem to
indicate otherwise...

David J.

pgsql-bugs by date:

From: "David G. Johnston"
Date: 30 September 2015, 06:26:51
Subject: Re: BUG #13651: trigger security invoker attack

From: Jeff Janes
Date: 30 September 2015, 20:03:37
Subject: Re: GRANT USAGE ON SEQUENCE missing from psql command completion

Re: BUG #13651: trigger security invoker attack - Mailing list pgsql-bugs

Previous

Next