From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "Roberts, Jon" <Jon(dot)Roberts(at)asurion(dot)com> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: to_char incompatibility |
Date: | 2008-01-11 04:29:54 |
Message-ID: | 7572.1200025794@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
"Roberts, Jon" <Jon(dot)Roberts(at)asurion(dot)com> writes:
> <soapbox>
> Executing a function should never require privileges on the underlying
> objects referenced in it. The function should always run with the rights of
> the owner of the function, not the user executing it.
> </soapbox>
You might want to climb off that soapbox for long enough to read the
various security-related threads that have been in this mailing list
over the past year or so. Security-definer functions are seriously
at risk from trojan-horse exploits; particularly in an extensible system
such as Postgres.
Certainly there are cases where you want a function to change privilege
levels as sketched above. But I'd argue that there are a huge number
of cases where a function is just providing convenient shorthand for
something the caller could do for himself --- and when that's the case,
making it have more/different privileges from the caller is simply
taking a risk for no reward.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2008-01-11 04:50:31 | Re: Pl/Java broken since Postgresql 8.3-rc1 |
Previous Message | Kris Jurka | 2008-01-11 04:19:21 | Re: Pl/Java broken since Postgresql 8.3-rc1 |