Home > mailing lists

Re: Allow database owners to CREATE EVENT TRIGGER - Mailing list pgsql-hackers

From	Isaac Morland
Subject	Re: Allow database owners to CREATE EVENT TRIGGER
Date	March 5 19:17:06
Msg-id	CAMsGm5fKnupSyBmmoH6T1qV3VCEABo_za5eW2fr6fi6vLTV4xw@mail.gmail.com Whole thread Raw
In response to	Re: Allow database owners to CREATE EVENT TRIGGER (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

On Wed, 5 Mar 2025 at 10:28, Tom Lane <tgl@sss.pgh.pa.us> wrote:

I wrote:
> Or in other words: not-superuser to superuser is far from the only
> type of privilege escalation that we need to prevent.

After reflecting on that for a moment: maybe say that an event trigger
fires for queries that are run by a role that the trigger's owning
role is a member of? That changes nothing for superuser-owned
triggers.

Can somebody remind me why triggers don't run as their owner in the first place?

It would make triggers way more useful, and eliminate the whole issue of trigger owners escalating to whomever tries to access the object on which the trigger is defined.

pgsql-hackers by date:

From: Jacob Champion
Date: 05 March, 19:16:45
Subject: Re: [PATCH] pg_stat_activity: make slow/hanging authentication more visible

From: Tom Lane
Date: 05 March, 19:19:46
Subject: Re: Should we add debug_parallel_query=regress to CI?

Re: Allow database owners to CREATE EVENT TRIGGER - Mailing list pgsql-hackers

Previous

Next