Re: Execute function without execute privilege

Another question, if we put functions into a schema and then use "grant
usage" on the schema is that considered an OK practice in postgresql to
limit users to a group of functions (I assume they would still have to have
usage on the schema to get to them).

-----Original Message-----
From: Walker, Jed S
Sent: Friday, May 06, 2005 8:46 AM
To: 'Tom Lane'
Cc: 'pgsql-novice(at)postgresql(dot)org'
Subject: RE: [NOVICE] Execute function without execute privilege

Do you mean that when I create a function an implicit "grant execute on
function" is done? If so, we would have to do a revoke with each grant. Or,
do you mean there is a public grant to "execute any function" that I can
just remove when I create the database (and if so, how?)

-----Original Message-----
From: Tom Lane [mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us]
Sent: Thursday, May 05, 2005 2:24 PM
To: Walker, Jed S
Cc: 'pgsql-novice(at)postgresql(dot)org'
Subject: Re: [NOVICE] Execute function without execute privilege

"Walker, Jed S" <Jed_Walker(at)cable(dot)comcast(dot)com> writes:
> I discovered today that when I create a function in a schema that
> another user has "grant usage" on, they are able to execute the
> function even though I've not granted them "execute" on the function.

> Is this normal behavior (from the manual I don't believe it is)?

Yes, it is, because the default for functions is to grant PUBLIC EXECUTE
access. Revoke that if you don't want it.

regards, tom lane