| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | 德哥 <digoal(at)126(dot)com> |
| Cc: | "pgsql-bugs(at)postgresql(dot)org" <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #13651: trigger security invoker attack |
| Date: | 2015-09-30 12:59:35 |
| Message-ID: | CAKFQuwZb7s3_gTLLQhVNsTxRD1vqqDm_L9zJVRM13f5LCEh1uA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Wed, Sep 30, 2015 at 3:02 AM, 德哥 <digoal(at)126(dot)com> wrote:
> HI,
> If we can change the function's security dynamical, like :
> When function trigged in trigger or rule, force these function's
> security = table,mview,view's owner.
> There will no risks in the case.
>
> PS: MySQL do that.
>
IOW: "
Relations that are used due to rules get checked against the privileges of
the rule owner, not the user invoking the rule
." should apply to functions as well.
http://www.postgresql.org/docs/9.4/static/rules-privileges.html
I would agree and thought they did but your most example does seem to
indicate otherwise...
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Janes | 2015-09-30 17:03:29 | Re: GRANT USAGE ON SEQUENCE missing from psql command completion |
| Previous Message | marc hamelin | 2015-09-30 10:48:47 | postgresql 9.4 with nested "order by" |