Tom Lane wrote:
> hubert depesz lubaczewski <depesz@depesz.com> writes:
> > was pointed to the fact that security definer functions have the same
> > default privileges as normal functions in the same language - i.e. if
> > the language is trusted - public has the right to execute them.
>
> > maybe i'm missing something important, but given the fact that security
> > definer functions are used to get access to things that you usually
> > don't have access to - shouldn't the privilege be revoked by default,
> > and grants left for dba to decide?
>
> I don't see that that follows, at all. The entire point of a security
> definer function is to provide access to some restricted resource to
> users who couldn't get at it with their own privileges. Having it start
> with no privileges would be quite useless.
Sorry for the late reply, but isn't this exactly what we do when we
create schemas? We create them with owner-only permissions because it
closes a window of vunlerability if somone creates the schema and then
tries to lock it down later. Is the security-definer function a similar
case that should start as owner-only?
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +