Skip site navigation (1) Skip section navigation (2)

BUG #1874: Non-Execute Privileges enforced on grant

From: "Mark Diener" <md(at)realmwireless(dot)com>
To: pgsql-bugs(at)postgresql(dot)org
Subject: BUG #1874: Non-Execute Privileges enforced on grant
Date: 2005-09-10 08:33:15
Message-ID: 20050910083315.43380F0B10@svr2.postgresql.org (view raw or flat)
Thread:
Lists: pgsql-bugs
The following bug has been logged online:

Bug reference:      1874
Logged by:          Mark Diener
Email address:      md(at)realmwireless(dot)com
PostgreSQL version: 8.03
Operating system:   linux-i686
Description:        Non-Execute Privileges enforced on grant
Details: 

It seems the EXECUTE privilege is not the only privilege that is being
checked during the execution of a PL/psql procedure language/function.

Only a superuser can execute non-trusted languages like python thus making
the python language unusable for average user.  Only for superusers.  What
happens when you want the python stored procedures to implement a layer of
security for standard users?

Then the pl/SQL language enforces SELECT/UPDATE/INSERT privileges on tables.
 It would appear intuitive that only the EXECUTE privilege should be
evaluated when a stored procedure executes.  By default, all superuser and
owner privileges should be allowed except for the EXECUTE privilege.

What happens when you want the pg/SQL stored procedures to implement a layer
of security for standard users and you don't want general users to have
select/update/insert privilege?  It is not an option to skip the select SQL
statement within stored procedures.

Responses

pgsql-bugs by date

Next:From: ByronDate: 2005-09-10 16:46:44
Subject: BUG #1875: Function parameter names clash with table column names
Previous:From: Lee BensonDate: 2005-09-10 04:52:08
Subject: BUG #1873: "Invalid username specified" during install

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group