| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Jacek Trocinski <jacek(at)hedgehog(dot)app> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Why is EXECUTE granted to PUBLIC for all routines? |
| Date: | 2022-04-22 17:44:40 |
| Message-ID: | 3707734.1650649480@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Jacek Trocinski <jacek(at)hedgehog(dot)app> writes:
> The default behavior on Postgres is to grant EXECUTE to PUBLIC on any
> function or procedure that is created.
> I feel this this is a security concern, especially for procedures and
> functions defined with the "SECURITY DEFINER" clause.
There is zero security concern for non-SECURITY-DEFINER functions,
since they do nothing callers couldn't do for themselves. For those,
you typically do want to grant out permissions. As for SECURITY DEFINER
functions, there is no reason to make one unless it is meant to be called
by someone besides the owner. Perhaps PUBLIC isn't the scope you want to
grant it to, but no-privileges wouldn't be a useful default there either.
In any case, changing this decision now would cause lots of problems,
such as breaking existing dump files. We're unlikely to revisit it.
As noted in the docs, best practice is to adjust the permissions
as you want them in the same transaction that creates the function.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2022-04-22 18:36:56 | Re: Postgres perl module namespace |
| Previous Message | Jacek Trocinski | 2022-04-22 17:31:29 | Why is EXECUTE granted to PUBLIC for all routines? |