| From: | Sandro Santilli <strk(at)keybit(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Triggers NOT running as table owner |
| Date: | 2013-06-27 11:58:16 |
| Message-ID: | 20130627115816.GC22393@gnash |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
According to release notes of 8.3.18 (yeah, old docs)
a trigger runs with the the table owner permission.
This is the only document I found about this matter:
http://www.postgresql.org/docs/8.3/static/release-8-3-18.html
Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas)
This missing check could allow another user to execute a trigger
function with forged input data, by installing it on a table he
owns. This is only of significance for trigger functions marked
SECURITY DEFINER, since otherwise trigger functions run as the table
owner anyway. (CVE-2012-0866)
But, while I'd need this to be true, I can't confirm this is the case.
Did I misinterpret the note above ?
--strk;
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniel Cristian Cruz | 2013-06-27 12:11:39 | Re: Migration from DB2 to PostgreSQL-TIMESTAMP(arg1,arg1) |
| Previous Message | Raymond O'Donnell | 2013-06-27 11:56:45 | Re: Migration from DB2 to PostgreSQL-TIMESTAMP(arg1,arg1) |