Re: POC for a function trust mechanism

On 9 August 2018 at 18:18, David Kohn <djk447(at)gmail(dot)com> wrote:

Anyway, I guess all of this seems to introduce a lot more complexity into
> an already complex permissions management system...is this all about the
> public schema? Can we just make create function/operator etc something you
> have to grant even in the public schema? It seems like that could be
> significantly more user friendly than this.
>

Already true, if you do:

REVOKE CREATE ON SCHEMA public FROM PUBLIC;

Which I do, in all my databases, and which is probably a good idea in most
scenarios.

> Or otherwise, would functions owned by the database or schema owner be
> exempt from this? Because there are many setups where people try to avoid
> superuser usage by creating database or schema owner users who can do
> things like create function, which a normal users can now use. Would checks
> be skipped if the function call is schema qualified because then there's no
> reasonable way to think that someone is being fooled about which function
> they are executing?
>

At present, permissions are completely separate from ownership: your
ability to use an object does not depend on who owns what (I believe you
can even revoke your own rights to use your own stuff). I suspect changing
this is probably not a good idea.