Re: Permissions on aggregate component functions

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: Permissions on aggregate component functions
Date: 2005-01-27 21:42:06
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On Thu, Jan 27, 2005 at 15:27:54 -0500,
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> I just noticed that there is no permission check anywhere in CREATE
> AGGREGATE concerning the aggregate's transition and final functions.
> This means anyone can trivially bypass the function EXECUTE permission
> check: just make an aggregate function to call it for you. (Now, this
> works only for functions whose signature fits what an aggregate
> expects, but for most one- and two-argument functions you can do it.)
> Clearly this is a must-fix issue, but I'm wondering exactly where the
> check should be enforced. Is it sufficient to check at the time of
> CREATE AGGREGATE that the creator has appropriate rights, or do we need
> to do it every time the aggregate is used?

I would think both would be best. If you don't check at runtime the function
owner can't easily revoke access (dropping the function might be a pain
if it is used in lots of places). It is nice to check at creation so as
to give immediate feedback if there is a problem.

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Marc G. Fournier 2005-01-27 21:51:17 Re: Security Release Packaging ...
Previous Message Mark Wong 2005-01-27 21:30:25 Re: [HACKERS] WAL: O_DIRECT and multipage-writer