The following bug has been logged online:
Bug reference: 1874
Logged by: Mark Diener
Email address: md(at)realmwireless(dot)com
PostgreSQL version: 8.03
Operating system: linux-i686
Description: Non-Execute Privileges enforced on grant
It seems the EXECUTE privilege is not the only privilege that is being
checked during the execution of a PL/psql procedure language/function.
Only a superuser can execute non-trusted languages like python thus making
the python language unusable for average user. Only for superusers. What
happens when you want the python stored procedures to implement a layer of
security for standard users?
Then the pl/SQL language enforces SELECT/UPDATE/INSERT privileges on tables.
It would appear intuitive that only the EXECUTE privilege should be
evaluated when a stored procedure executes. By default, all superuser and
owner privileges should be allowed except for the EXECUTE privilege.
What happens when you want the pg/SQL stored procedures to implement a layer
of security for standard users and you don't want general users to have
select/update/insert privilege? It is not an option to skip the select SQL
statement within stored procedures.
pgsql-bugs by date
|Next:||From: Byron||Date: 2005-09-10 16:46:44|
|Subject: BUG #1875: Function parameter names clash with table column names|
|Previous:||From: Lee Benson||Date: 2005-09-10 04:52:08|
|Subject: BUG #1873: "Invalid username specified" during install|