On Tue, Jul 14, 2026 at 09:54:22AM -0400, Robert Haas wrote:
> For many years now, the PostgreSQL security team has been receiving
> reports that the TRIGGER and REFERENCES permissions are dangerous to
> grant. This is not news, at least to me, and I actually feel like I
> remember Tom making some comment about this on this list a long time
> ago, but the searches I have tried so far have failed to locate that
> email, so either I hallucinated it (heh, heh) or my search-fu is not
> up to the task.

Here's a couple:

    https://postgr.es/m/[email protected]
    
https://postgr.es/m/flat/52EF20B2E3209443BC37736D00C3C1380BE323DC%40EXADV1.host.magwien.gv.at

> But for reasons which many of you may be able to guess, the rate of
> such reports has increased lately, and I rather suspect it will
> continue to increase. While that's frustrating, it is also true that
> this is something that really should be called out in the
> documentation, so here's a patch to do that. I modeled this on the
> existing language we use for granting pg_execute_server_program. If
> you don't like that language, feel free to suggest alternatives.

+1.  I wonder if we should promote these to <note> or even <warning>.
While I'm hesitant to pepper the docs with too many more of those, this
seems like the sort of thing we don't want users to miss.

-- 
nathan


Reply via email to