Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>> (In other words, it's not that hard to build
>> a "RUN AS other-user" feature into a C function, even without any support
>> from the rest of the system.)

> I was considering this and a bit concerned about what would happen if
> the C function actually did this and if we'd clean things up properly at
> the end or if the function would be required to handle that clean-up
> (if it was written as SECUURITY INVOKER, which is what's being suggested
> here)...

It would have to remember to restore the previous role on normal exit,
but I believe that the system would take care of cleanup if an error is
thrown. Looking at fmgr_security_definer, there are just a couple of
lines involved with changing the active role. (There's a boatload of
*other* crap that's been shoved into that function over time, but the
part of it that actually does what it's named for is pretty darn small.)

> Alvaro's point about the discussion of a stack of roles is certainly
> something else to consider, though I feel that the 'run-as' option is
> pretty straight-forward and could be done more-or-less identically to
> how we do secuirty definer now, it's just changing where we get the role
> to change to before running the function.

Yes, it would surely not be much more code, just a bit added here:

if (procedureStruct->prosecdef)
fcache->userid = procedureStruct->proowner;

regards, tom lane