| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Keith Fiske <keith(at)omniti(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Allow GRANT TRIGGER privilege to DROP TRIGGER (Re: Bug ##7716) |
| Date: | 2014-07-30 19:42:34 |
| Message-ID: | 20140730194234.GN2791@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jul 16, 2014 at 07:45:56PM -0400, Tom Lane wrote:
> A look at check_object_ownership suggests that you could take the TRIGGER
> case out of the generic relation path and make it a special case that
> allows either ownership or TRIGGER permission.
>
> TBH, though, I'm not sure this is something to pursue. We discussed all
> this back in 2006. As I pointed out at the time, giving somebody TRIGGER
> permission is tantamount to giving them full control of your account:
> http://www.postgresql.org/message-id/21827.1166115978@sss.pgh.pa.us
> because they can install a trigger that will execute arbitrary code with
> *your* privileges the next time you modify that table.
>
> I think we should get rid of the separate TRIGGER privilege altogether,
> not make it an even bigger security hole.
Uh, how does removing a trigger cause a larger security hole? As long
as users can create triggers, removal seems logical.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Josh Loberant | 2014-07-30 19:44:07 | Re: No, pg_size_pretty(numeric) was not such a hot idea |
| Previous Message | Bruce Momjian | 2014-07-30 19:21:36 | Re: pgaudit - an auditing extension for PostgreSQL |