On Tuesday, September 29, 2015, =E5=BE=B7=E5=93=A5 <digoal@126.com> wrote:
> I hope this :
> Nonsuperuser cann't CREATE | ALTER security invoker Functions.
>
In that case don't hold your breath. Besides, your rules-based spoofing
doesn't actually have this problem since the rule owner is the invoker, not
the original user. And I'm still confused regarding your original post and
how it describes an active risk. Your second example is also flawed as
it requires superuser permissions to work.
Security invoker are safe because the caller cannot do anything they
couldn't otherwise do. That doesn't mean they should treat the code as
trusted or a black-box.
Do you have a suggestion that doesn't amount to scraping the whole thing
and staring over?
David J.