| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Limit global default function execution privileges |
| Date: | 2018-03-07 15:38:43 |
| Message-ID: | 20180307153842.GJ2416@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greetings,
* David G. Johnston (david(dot)g(dot)johnston(at)gmail(dot)com) wrote:
> Since we are discussing locking down our defaults is revoking the global
> function execution privilege granted to PUBLIC - instead limiting it to
> just the pg_catalog schema - on the table?
>
> I'm not sure how strongly I feel toward the proposal but it does come up on
> these lists; and the fact that it doesn't distinguish between security
> definer and security invoker is a trap for the unaware.
I wouldn't limit it to the pg_catalog schema, I'd just explicitly mark
the functions in pg_catalog which should have EXECUTE rights available
to PUBLIC.
I'm afraid this would cause a lot of work for people who use a lot of
pl/pgsql, but it might be a good thing in the end. Environments could
configure ALTER DEFAULT PRIVILEGES to automatically install the GRANT
back if they wanted it, and pg_dump would just pull through whatever the
privileges actually were on old systems into the new systems.
This definitely comes up regularly when introducing new people to
PostgreSQL.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nikolay Shaplov | 2018-03-07 15:40:57 | Re: [PATCH] get rid of StdRdOptions, use individual binary reloptions representation for each relation kind instead |
| Previous Message | Bossart, Nathan | 2018-03-07 15:32:33 | Re: BUG #14941: Vacuum crashes |