Thread: default EXECUTE privilege
Documentation says "By default, only the owner (creator) of the
function has the right to execute it."
But for me newly created function has execute privilege to
public by default. And we have to execute "revoke execute on
function ... from public". Why?
Version is 7.3.2
--
Sergey Suleymanov
Sergey Suleymanov <solt@eatpbank.ru> writes:
> Documentation says "By default, only the owner (creator) of the
> function has the right to execute it."
That's a documentation error. Where do you see it exactly? I can't
find such a statement in the current sources.
> But for me newly created function has execute privilege to
> public by default. And we have to execute "revoke execute on
> function ... from public". Why?
We decided that was the most useful default.
regards, tom lane
Last line just before EXAMPLES http://www.us.postgresql.org/postgresql-7.3.3/sql-createfunction.html Highlighted: http://216.239.33.104/search?q=cache:soHhFN4V1IMJ:www.us.postgresql.org/postgresql-7.3.3/sql-createfunction.html++site:www.us.postgresql.org+default,+only+the+owner+%22%2Bof+%2Bthe+function%22++right+to+execute+it&hl=en&ie=UTF-8 At 10:48 AM 9/5/2003 -0400, Tom Lane wrote: >Sergey Suleymanov <solt@eatpbank.ru> writes: > > Documentation says "By default, only the owner (creator) of the > > function has the right to execute it." > >That's a documentation error. Where do you see it exactly? I can't >find such a statement in the current sources. > > > But for me newly created function has execute privilege to > > public by default. And we have to execute "revoke execute on > > function ... from public". Why? > >We decided that was the most useful default. > > regards, tom lane > >---------------------------(end of broadcast)--------------------------- >TIP 4: Don't 'kill -9' the postmaster
Lincoln Yeoh <lyeoh@pop.jaring.my> writes: >> That's a documentation error. Where do you see it exactly? I can't >> find such a statement in the current sources. > Last line just before EXAMPLES > http://www.us.postgresql.org/postgresql-7.3.3/sql-createfunction.html Ah. Looks like it's already been removed from the 7.4 docs. The GRANT reference page does state the situation correctly: Depending on the type of object, the initial default privileges may include granting some privileges to PUBLIC. The default is no public access for tables and schemas; TEMP table creation privilege for databases; EXECUTE privilege for functions; and USAGE privilege for languages. The object creator may of course revoke these privileges. regards, tom lane
>>>>> Tom Lane writes:
Tom> We decided that was the most useful default.
Well, not too useful when "SECURITY DEFINER" is used. Anyway
thank you for explanation.
--
Sergey Suleymanov