Tom,
Does this mean that all querytree permission checking is done at query
build time? (I'm still trying to grok the source code in this area).
I was hoping to let the rule system do all the hard permission checking
work since it already does that, and the security implications of
allowing rules to execute with greater privilege than their callers has
already been considered at some length.
True suid functions are probably a better idea but then we need to be
able to limit who can execute such functions. This looks like a much
more extensive change than I was anticipating.
I don't fully understand the issue with rewritten expressions being
arbitrary combinations of clauses from the rule and the users original
query. Isn't each clause its own node (allowing us to determine whether
the function should be called in the user's or rule-owner's context) or
do I have to go and read the source some more ;-)
Anyway, thanks for the response. I'll have to do some more hard
thinking now.
On Mon, 2002-01-21 at 12:19, Tom Lane wrote:
> Marc Munro <marc@bloodnok.com> writes:
> > For this, we need to be able to have functions which run with the
> > permissions of the rule owner rather than the caller (please see my
> > response, in plsql-general, to depesz@depesz.pl, Re: IDEA: "suid"
> > function).
>
> I believe "suid" functions are a more practical solution than expecting
> the rule mechanism to handle this for you. I don't want to put access
> checking/id switching overhead into the basic expression evaluation
> engine; but it's hard to see how we could make functions-invoked-in-rules
> be treated specially without that. The problem is that expressions
> coming out of the rewriter might be arbitrary combinations of clauses
> that appeared in the rule and clauses that appeared in the user's
> original query.
>
> "Suid" functions have been on the TODO list for awhile. Peter E. has
> been making noises recently suggesting that he's actually planning to
> make them happen for 7.3.
>
> regards, tom lane
>
--
Marc marc@bloodnok.com