Quick Links

Re: A function privilege problem

From:	高云龙 <gaoyunlong(at)biss(dot)com>
To:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc:	"pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org>
Subject:	Re: A function privilege problem
Date:	2019-07-25 02:05:24
Message-ID:	CB57E6F9-7994-49C8-8784-F411140282C0@biss.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-bugs

> 在 2019年7月24日，上午10:09，yunlong <gaoyunlong(at)biss(dot)com> 写道：
>
> What’s PUBLIC mean ? public schema ?
> My function is not in public schema, and I still can execute the function with the new db user after run revoke execute on function xxx from xxx
>
>> 在 2019年7月24日，上午12:50，Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> 写道：
>>
>> =?gb2312?B?uN8g1MbB+g==?= <gaoyunlong(at)biss(dot)com> writes:
>>> Hi ,my postgresql is 11.1 and find a problem about the execute privilege
>>> Now I have a new db user and a UDF. The function¡¯s body is update a table
>>
>>> When I run grant update on table xxx to the new user, find that i can execute the function and don¡¯t report "Execute permission for functions<https://www.postgresql.org/message-id/4C2BBAEA.6040805%40gmail.com> xxx¡±£¬Is this right£¿
>>
>> This is not a bug. Per the GRANT manual page [1]:
>>
>> PostgreSQL grants default privileges on some types of objects to
>> PUBLIC. No privileges are granted to PUBLIC by default on tables,
>> table columns, sequences, foreign data wrappers, foreign servers,
>> large objects, schemas, or tablespaces. For other types of objects,
>> the default privileges granted to PUBLIC are as follows: CONNECT and
>> TEMPORARY (create temporary tables) privileges for databases;
>> EXECUTE privilege for functions and procedures; and USAGE privilege
>> for languages and data types (including domains). The object owner
>> can, of course, REVOKE both default and expressly granted
>> privileges. (For maximum security, issue the REVOKE in the same
>> transaction that creates the object; then there is no window in which
>> another user can use the object.) Also, these initial default
>> privilege settings can be changed using the ALTER DEFAULT PRIVILEGES
>> command.
>>
>> So the new user is making use of the default grant of EXECUTE to PUBLIC.
>> If you don't want that, revoke execute privilege on that function from
>> PUBLIC and then grant it to just the users who should be allowed to call
>> the function.
>>
>> regards, tom lane
>>
>> [1] https://www.postgresql.org/docs/current/sql-grant.html
>
Make a copy for pgsql-bugs(at)lists(dot)postgresql(dot)org

In response to

Re: A function privilege problem at 2019-07-23 16:50:40 from Tom Lane

Responses

Re: A function privilege problem at 2019-07-25 03:08:34 from David G. Johnston

Browse pgsql-bugs by date

	From	Date	Subject
Next Message	Tom Lane	2019-07-25 02:09:52	Re: ADD CHECK fails for parent table if column used in CHECK is fully-qualified
Previous Message	Andres Freund	2019-07-25 01:54:48	Re: ERROR: virtual tuple table slot does not have system attributes