Re: Permissions on aggregate component functions

From: Simon Riggs <simon(at)2ndquadrant(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Permissions on aggregate component functions
Date: 2005-01-27 22:55:33
Message-ID: 1106866534.31592.344.camel@localhost.localdomain
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On Thu, 2005-01-27 at 15:27 -0500, Tom Lane wrote:
> I just noticed that there is no permission check anywhere in CREATE
> AGGREGATE concerning the aggregate's transition and final functions.
> This means anyone can trivially bypass the function EXECUTE permission
> check: just make an aggregate function to call it for you. (Now, this
> works only for functions whose signature fits what an aggregate
> expects, but for most one- and two-argument functions you can do it.)
> Clearly this is a must-fix issue, but I'm wondering exactly where the
> check should be enforced. Is it sufficient to check at the time of
> CREATE AGGREGATE that the creator has appropriate rights, or do we need
> to do it every time the aggregate is used?

Well spotted.

Check should be once for each SQL statement in which the function is
attempted to be used. Otherwise, an administrator might revoke EXECUTE
privilege on a function that was used as part of an AGGREGATE, then
discover that the user could still execute it in the way you suggest.

Best Regards, Simon Riggs

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Oliver Jowett 2005-01-27 23:12:31 Re: bug w/ cursors and savepoints
Previous Message David Parker 2005-01-27 22:49:37 Re: Strange issue with initdb on 8.0 and Solaris automounts