Re: Security leak with trigger functions?

Martijn van Oosterhout wrote:
> On Fri, Dec 15, 2006 at 11:52:33AM -0500, Andrew Dunstan wrote:
>
>> Isn't the problem that they can do more than just things with the table?
>> If the trigger runs as the owner of the table it can do *anything* the
>> owner can do. So if we allow the alter privilege to include ability to
>> place a trigger then that privilege includes everything the owner can do
>> (including granting/revoking other privileges). Surely that is not what
>> was intended. Arguably we should invent a concept of an explicit trigger
>> owner.
>>
>
> I thought the problem was the other way round. That some person created
> a function as SECURITY DEFINER but restricted EXECUTE permissions. And
> now anybody can create a table and use that function as a trigger and
> it will be executed even though neither the owner of the table nor the
> person executing the trigger has EXECUTE permissions.
>
> Triggers don't have owners because like you said, the table owner
> controls them. The point is that there's no check that the table owner
> is actually allowed to execute the function being used as trigger.
>
> The trigger never runs as the owner of the table AIUI, only ever as the
> definer of the function or as session user.
>
>
>

OK, sorry for the confusion.

cheers

andrew