On Tue, Apr 5, 2011 at 3:45 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > hubert depesz lubaczewski <dep...@depesz.com> writes: >> was pointed to the fact that security definer functions have the same >> default privileges as normal functions in the same language - i.e. if >> the language is trusted - public has the right to execute them. > >> maybe i'm missing something important, but given the fact that security >> definer functions are used to get access to things that you usually >> don't have access to - shouldn't the privilege be revoked by default, >> and grants left for dba to decide? > > I don't see that that follows, at all. The entire point of a security > definer function is to provide access to some restricted resource to > users who couldn't get at it with their own privileges. Having it start > with no privileges would be quite useless.
Agreed. If somebody is creating a security definer function then they are explicitly relaxing security. It's a little hard for people doing that to say that they were not aware of security and forgot to issue GRANTs to carefully define who got the new capability. -- Simon Riggs http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
