| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
| Cc: | Joe Conway <mail(at)joeconway(dot)com>, "Hackers (PostgreSQL)" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: has_language_privilege returns incorrect answer for non-superuser |
| Date: | 2016-04-14 17:23:54 |
| Message-ID: | 939.1460654634@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> writes:
> Joe Conway wrote:
>> I noticed today that has_language_privilege() returns incorrect answer
>> for non-superuser, e.g.:
>>
>> 8<---------------------------------------------------
>> select has_language_privilege('nobody',
>> 'plperlu',
>> 'usage');
>> has_language_privilege
>> ------------------------
>> t
>> (1 row)
> Funnily enough, this is still the case in 9.6, four years later. Have
> we made any inroads in fixing this?
The reason for the discrepancy is that the check actually enforced by
CreateFunction (functioncmds.c:948) is not about USAGE if it's an
untrusted language. The user does actually have USAGE, so far as the
standard privilege system is concerned, but we're still disallowing the
function creation.
I suppose that this is one of the things that Stephen Frost would like
to normalize to be completely driven by the standard privilege system.
Possibly we could simplify CREATE FUNCTION to just check USAGE all the
time, and instead have CREATE LANGUAGE auto-revoke public USAGE if
it's not a trusted language.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Steele | 2016-04-14 17:28:35 | Re: Refactor pg_dump as a library? |
| Previous Message | Alvaro Herrera | 2016-04-14 17:11:50 | Re: has_language_privilege returns incorrect answer for non-superuser |