From 14ebee14256e2bda9201376d1d2eee282daed8e3 Mon Sep 17 00:00:00 2001 From: Robert Haas Date: Tue, 14 Jul 2026 09:12:20 -0400 Subject: [PATCH v1] doc: Granting TRIGGER or REFERENCES on table is dangerous. It's always been the case that granting these privileges to users that you don't fully trust was a bad idea, but it hasn't always been obvious to people reading the documentation that this is the case. To prevent confusion, and also repeated reports to pgsql-security, mention it explicitly. --- doc/src/sgml/ddl.sgml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml index 2b08b54edf5..68ed6e4fd4f 100644 --- a/doc/src/sgml/ddl.sgml +++ b/doc/src/sgml/ddl.sgml @@ -2396,7 +2396,11 @@ REVOKE ALL ON accounts FROM PUBLIC; Allows creation of a foreign key constraint referencing a - table, or specific column(s) of a table. + table, or specific column(s) of a table. Great care should be taken when + granting this privilege, since a user who creates a foreign key can arrange + for enforcement of that foreign key to call an arbitrary function, such as + a cast function, and such functions will be called with the privileges of + the table owner. @@ -2405,7 +2409,9 @@ REVOKE ALL ON accounts FROM PUBLIC; TRIGGER - Allows creation of a trigger on a table, view, etc. + Allows creation of a trigger on a table, view, etc. Great care should be + taken when granting this privilege, since any triggers added to a table + or view will be executed with the privileges of users who modify it. -- 2.50.1 (Apple Git-155)