| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Roberts, Jon" <Jon(dot)Roberts(at)asurion(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: to_char incompatibility |
| Date: | 2008-01-11 04:29:54 |
| Message-ID: | 7572.1200025794@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Roberts, Jon" <Jon(dot)Roberts(at)asurion(dot)com> writes:
> <soapbox>
> Executing a function should never require privileges on the underlying
> objects referenced in it. The function should always run with the rights of
> the owner of the function, not the user executing it.
> </soapbox>
You might want to climb off that soapbox for long enough to read the
various security-related threads that have been in this mailing list
over the past year or so. Security-definer functions are seriously
at risk from trojan-horse exploits; particularly in an extensible system
such as Postgres.
Certainly there are cases where you want a function to change privilege
levels as sketched above. But I'd argue that there are a huge number
of cases where a function is just providing convenient shorthand for
something the caller could do for himself --- and when that's the case,
making it have more/different privileges from the caller is simply
taking a risk for no reward.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-01-11 04:50:31 | Re: Pl/Java broken since Postgresql 8.3-rc1 |
| Previous Message | Kris Jurka | 2008-01-11 04:19:21 | Re: Pl/Java broken since Postgresql 8.3-rc1 |