Re: document the dangers of granting TRIGGER or REFERENCES

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Nathan Bossart <nathandbossart(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: document the dangers of granting TRIGGER or REFERENCES
Date: 2026-07-14 15:56:49
Message-ID: 3337978.1784044609@sss.pgh.pa.us
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> Also, while there may very well be people who have legitimately been
> unpleasantly surprised by the actual behavior here, an awful lot of
> the "people" currently discovering the situation here are in fact just
> looking for a way to manufacture a security report. As long as we have
> a statement of some kind in the docs, we can just point to that. It
> doesn't need to be particularly prominent -- although I'm not trying
> to conceal it, either. I didn't find a more natural place to mention
> this than where I actually put it.

Right. I looked around too, but this section (5.9) seems fine.
In particular, while the GRANT reference page lists the names of
the privileges, it does not describe any of them, just points you
to 5.9.

regards, tom lane

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2026-07-14 16:08:20 Re: Fix GROUP BY ALL handling of ORDER BY operator semantics
Previous Message Tom Lane 2026-07-14 15:54:07 Re: document the dangers of granting TRIGGER or REFERENCES