On 04/06/2011 07:41 AM, hubert depesz lubaczewski wrote:
On Wed, Apr 06, 2011 at 09:06:50AM +0200, pasman pasmaÅski wrote:
was pointed to the fact that security definer functions have the same
default privileges as normal functions in the same language - i.e. if
the language is trusted - public has the right to execute them.
maybe i'm missing something important, but given the fact that security
definer functions are used to get access to things that you usually
don't have access to - shouldn't the privilege be revoked by default,
and grants left for dba to decide?
you can create function in schema accesible to dba only.
sure. and I can revoke the privileges and grant the ones I need.
I know I can *fix* it. But I just think that the default should be the
same as with untrusted languages.
As was said earlier the point of SECURITY DEFINER is to allow
non-privileged users access to privileged content. When a trusted
function is created it is has the default of SECURITY INVOKER that
restricts it privileges to that of the calling user. Switching to
SECURITY DEFINER is a dba decision on grants already.
depesz
--
Adrian Klaver
adrian.klaver@xxxxxxxxx
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general