On 2/22/23 14:12, Mark Dilger wrote:
On Feb 22, 2023, at 10:49 AM, Jeff Davis <pg...@j-davis.com> wrote:
On Wed, 2023-02-22 at 09:27 -0800, Mark Dilger wrote:
Another option is to execute under the intersection of their
privileges, where both the definer and the invoker need the
privileges in order for the action to succeed. That would be more
permissive than the proposed SECURITY NONE, while still preventing
either party from hijacking privileges of the other.
Interesting idea, I haven't heard of something like that being done
before. Is there some precedent for that or a use case where it's
helpful?
> No current use case comes to mind, but I proposed it for event
triggers one or two development cycles ago, to allow for
non-superuser event trigger owners. The problems associated with
allowing non-superusers to create and own event triggers were pretty
similar to the problems being discussed in this thread.
The intersection of privileges is used, for example, in multi-level
security contexts where the intersection of the network-allowed levels
and the subject allowed levels is used to bracket what can be accessed
and how.
Other examples I found with a quick search:
https://docs.oracle.com/javase/8/docs/api/java/security/AccessController.html#doPrivileged-java.security.PrivilegedAction-java.security.AccessControlContext-
https://learn.microsoft.com/en-us/dotnet/api/system.security.permissions.dataprotectionpermission.intersect?view=dotnet-plat-ext-7.0
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
