Re: [SQL] Function security? - Mailing list pgsql-sql

From wieck@debis.com (Jan Wieck)
Subject Re: [SQL] Function security?
Date
Msg-id m10uDHH-0003kLC@orion.SAPserv.Hamburg.dsh.de
Whole thread Raw
In response to Function security?  (stevew <stevew@bigeric.force9.co.uk>)
List pgsql-sql
>
> I wish to control access to some tables, so I do not want to grant
> select to all users. Instead I would like to use some functions which
> return the info.
>
> So I have some tables owned by admin
> I have a user who does not have select permission on the tables owned by
> admin.
> admin has created some functions which perform some selects on admin's
> tables.
> When user runs these functions, user gets permission denied.
>
> Is there a way to let the user be admin when running the functions ????
>
> You can do this with Oracle.

    PostgreSQL  doesn't support this kind of SETUID for functions
    or trigger procedures up to now (there are plans to do so but
    it didn't make it for v6.5).

    You  could  use  a  view instead, which presents the data you
    want to make accessible, and grant the  required  permissions
    on  the view.  The view should not contain any function calls
    that internally do  their  own  queries  (usually  over  SPI)
    because  these  function  internal queries are again executed
    under the current users permissions and would probably  fail.


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#========================================= wieck@debis.com (Jan Wieck) #

pgsql-sql by date:

Previous
From: Remigiusz Sokolowski
Date:
Subject: Re: [SQL] converting from number to text
Next
From: "D'Arcy" "J.M." Cain
Date:
Subject: Re: [HACKERS] Postgres mailing lists