On Mon, Sep 18, 2006 at 02:49:23PM -0400, Pascal Meunier wrote: > regardless of the outcome. Moreover, I'd rather be a carpet to the > PostgreSQL developers than be cited as the cause for a security improvement > not being made, due to having antagonized so much the developers. Please, > consider the issue and not the silly messenger.
The problem is that the issue is rather more complicated than you let on. Backward compatability is a big deal. The principle of least surprise also dictates that whatever default permissions are chosen should be the same for every function and not depend on various attributes. By your reasoning we should also have different default permissions if the function is in an untrusted language, or if the language doesn't have a validator. Where do you draw the line? Someone writing SECURITY DEFINER in their function definition has to be understood to know what they're doing. After all, "chmod +s" doesn't reset global execute permissions either, because that would be far too confusing. The same applies here IMHO. The whole point is to be executed by other users. We need much stronger arguments than what's been given so far. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > From each according to his ability. To each according to his ability to > litigate.
signature.asc
Description: Digital signature
