Tom Lane wrote: > hubert depesz lubaczewski <depesz@xxxxxxxxxx> writes: > > was pointed to the fact that security definer functions have the same > > default privileges as normal functions in the same language - i.e. if > > the language is trusted - public has the right to execute them. > > > maybe i'm missing something important, but given the fact that security > > definer functions are used to get access to things that you usually > > don't have access to - shouldn't the privilege be revoked by default, > > and grants left for dba to decide? > > I don't see that that follows, at all. The entire point of a security > definer function is to provide access to some restricted resource to > users who couldn't get at it with their own privileges. Having it start > with no privileges would be quite useless. Sorry for the late reply, but isn't this exactly what we do when we create schemas? We create them with owner-only permissions because it closes a window of vunlerability if somone creates the schema and then tries to lock it down later. Is the security-definer function a similar case that should start as owner-only? -- Bruce Momjian <bruce@xxxxxxxxxx> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. + -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
