| From: | Josh Berkus <josh(at)agliodbs(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Subject: | Re: Security leak with trigger functions? |
| Date: | 2006-12-14 20:12:23 |
| Message-ID: | 200612141212.24521.josh@agliodbs.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Peter,
> PostgreSQL only allows a trigger action of "call this function", so in
> the SQL standard context that would mean we'd need to check the EXECUTE
> privilege of the owner of the trigger. The trick is figuring out who
> the owner is. If it's the owner of the table, then TRIGGER privilege
> is effectively total control over the owner of the table. If it's
> whoever created the trigger, it might be useful, but I don't see how
> that is compatible with the intent of the SQL standard.
If that's the case, then a separate TRIGGER priveledge would seem to be
superfluous.
One thing to think about, though; our model allows granting ALTER
privelidge on a table to roles other than the table owner. It would seem
kind of inconsistent to be able to grant non-owner roles the ability to
drop a column, but restrict only the owner to adding a trigger. For one
thing, if you have a non-owner role which has ALTER permission and wants
to add an FK, how would that work?
--
--Josh
Josh Berkus
PostgreSQL @ Sun
San Francisco
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2006-12-14 21:20:58 | Re: Security leak with trigger functions? |
| Previous Message | Shane Ambler | 2006-12-14 19:37:19 | Re: libpq.a in a universal binary |