On Tue, Jul 14, 2026 at 09:54:22AM -0400, Robert Haas wrote: > [...]. At least for TRIGGER, I > think this is pretty intuitive. If you cannot foresee that letting > someone create triggers on your table might lead to a security > exposure, you haven't thought very hard. The issue with REFERENCES is > admittedly more subtle. At least to me, it's abundantly clear that > letting your arch-nemesis create foreign keys pointing to your table > is a bad idea, because they'll probably use that access to make your > life miserable. I find it somewhat less clear, but it is nonetheless > true, that it lets them run code of their choosing as you -- and > AFAICS there's nothing we can really do about that without removing > SQL functionality upon which lots of people depend.
It lets them run their code as you because trigger procedures run as the current_user, right? Maybe there should be some cases where SECURITY DEFINER is implied, or where not having it is an error. E.g., if I create a tigger or foreign key on a table I don't own but do have the corresponding grant, then maybe my triggers' trigger procedures should have to be SECURITY DEFINER. The problem is that cascading this property may not be possible, and anyways it's silly for all the reasons you give, so a documentation fix seems like the best/only thing to do. > IMHO, apart from patching the documentation, the other thing we might > want to consider doing is removing one or both of these privileges > entirely, and making them part of table ownership. I think there's > basically no scenario where granting an untrusted user even limited > permission to perform DDL on your objects is a sensible thing to do. Hmmm, at $WORK we don't give many users access to DBs, we generally don't give _any_ users access to DBs, only what we call "role accounts" (user accounts, yes, but used for automation not interactive sessions), and rarely more than a small handful per DB. In these cases these grant permissions are really not a problem because these accounts are generally used for related things and generally trust each other. So I wouldn't think this is a great idea, but I guess we could always deal. Nico --
