| From: | "Paul Mackay" <mackaypaul(at)gmail(dot)com> |
|---|---|
| To: | "Michael Fuhr" <mike(at)fuhr(dot)org> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Utility of GRANT EXECUTE |
| Date: | 2006-03-14 08:57:54 |
| Message-ID: | 786c2f6d0603140057v37e64f84h52c60e6563091b3f@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Is there a way to change the default prvilege on functions, i.e. that like
for tables, only the creator has privilege on it by default ?
Thanks.
Paul
On 3/14/06, Michael Fuhr <mike(at)fuhr(dot)org> wrote:
>
> On Tue, Mar 14, 2006 at 09:24:52AM +0100, Paul Mackay wrote:
> > It seems that any user has the right to execute a function, whether or
> not
> > it has been granted the EXECUTE privilege on it. Even a REVOKE EXECUTE
> has
> > no impact. A privilige error will be raised only if the function tries
> to
> > access an object (ex.: a table) for witch the user doesn't have the
> > appropriate privilege(s).
>
> Revoking EXECUTE from an individual user has no effect if public
> still has privileges, which is does by default.
>
> > Is there any utility to the GRANT EXECUTE then ?
>
> If you revoke public's privileges then GRANT EXECUTE has an effect.
>
> test=> create function foo() returns integer as 'select 1' language sql;
> CREATE FUNCTION
> test=> revoke all on function foo() from public;
> REVOKE
> test=> grant execute on function foo() to user1;
> GRANT
> test=> \c - user1
> You are now connected as new user "user1".
> test=> select foo();
> foo
> -----
> 1
> (1 row)
>
> test=> \c - user2
> You are now connected as new user "user2".
> test=> select foo();
> ERROR: permission denied for function foo
>
> --
> Michael Fuhr
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Harald Armin Massa | 2006-03-14 09:23:27 | Re: stored procedure |
| Previous Message | Michael Fuhr | 2006-03-14 08:40:28 | Re: Utility of GRANT EXECUTE |