Skip site navigation (1) Skip section navigation (2)

Re: Permissions on aggregate component functions

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: Permissions on aggregate component functions
Date: 2005-01-27 21:42:06
Message-ID: 20050127214206.GA8250@wolff.to (view raw or flat)
Thread:
Lists: pgsql-hackers
On Thu, Jan 27, 2005 at 15:27:54 -0500,
  Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> I just noticed that there is no permission check anywhere in CREATE
> AGGREGATE concerning the aggregate's transition and final functions.
> This means anyone can trivially bypass the function EXECUTE permission
> check: just make an aggregate function to call it for you.  (Now, this
> works only for functions whose signature fits what an aggregate
> expects, but for most one- and two-argument functions you can do it.)
> 
> Clearly this is a must-fix issue, but I'm wondering exactly where the
> check should be enforced.  Is it sufficient to check at the time of
> CREATE AGGREGATE that the creator has appropriate rights, or do we need
> to do it every time the aggregate is used?

I would think both would be best. If you don't check at runtime the function
owner can't easily revoke access (dropping the function might be a pain
if it is used in lots of places). It is nice to check at creation so as
to give immediate feedback if there is a problem.

In response to

pgsql-hackers by date

Next:From: Marc G. FournierDate: 2005-01-27 21:51:17
Subject: Re: Security Release Packaging ...
Previous:From: Mark WongDate: 2005-01-27 21:30:25
Subject: Re: [HACKERS] WAL: O_DIRECT and multipage-writer

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group