From: | Isaac Morland <isaac(dot)morland(at)gmail(dot)com> |
---|---|
To: | David Kohn <djk447(at)gmail(dot)com> |
Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: POC for a function trust mechanism |
Date: | 2018-08-09 23:00:27 |
Message-ID: | CAMsGm5d9kJQUN0Xo2SP0Cjd3uTU46=PQr=KZkiQ6LehANDPe2g@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 9 August 2018 at 18:18, David Kohn <djk447(at)gmail(dot)com> wrote:
Anyway, I guess all of this seems to introduce a lot more complexity into
> an already complex permissions management system...is this all about the
> public schema? Can we just make create function/operator etc something you
> have to grant even in the public schema? It seems like that could be
> significantly more user friendly than this.
>
Already true, if you do:
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
Which I do, in all my databases, and which is probably a good idea in most
scenarios.
> Or otherwise, would functions owned by the database or schema owner be
> exempt from this? Because there are many setups where people try to avoid
> superuser usage by creating database or schema owner users who can do
> things like create function, which a normal users can now use. Would checks
> be skipped if the function call is schema qualified because then there's no
> reasonable way to think that someone is being fooled about which function
> they are executing?
>
At present, permissions are completely separate from ownership: your
ability to use an object does not depend on who owns what (I believe you
can even revoke your own rights to use your own stuff). I suspect changing
this is probably not a good idea.
From | Date | Subject | |
---|---|---|---|
Next Message | Fabien COELHO | 2018-08-09 23:04:15 | Re: Commitfest 2018-07 RFC items |
Previous Message | Alvaro Herrera | 2018-08-09 22:19:42 | Re: Commitfest 2018-07 WOA items |