Adrian Klaver <adrian.klaver@xxxxxxxxxxx> writes: > On 4/21/24 11:20, yudhi s wrote: >> So in this case i was wondering if "event trigger" can cause any >> additional threat and thus there is no such privilege like "create >> trigger" exist in postgres and so it should be treated cautiously? > An event trigger runs as a superuser and executes a function that in > turn can do many things, you do the math on the threat level. As a trivial example: an event trigger could prevent the legitimate superuser(s) from doing anything at all in that database, just by blocking all their commands. This might not even require malicious intent, merely faulty coding --- but the opportunity for malicious intent is staggeringly large. regards, tom lane
