"Kevin Grittner" <Kevin.Grittner@wicourts.gov> writes:
> Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> A less bizarre and considerably more future-proof restriction,
>> IMO, would simply refuse any attempt to give ownership of a C
>> function to a non-superuser.
> We have C replication trigger functions where this would be a bad
> thing. They can't work properly as SECURITY INVOKER, and I see it
> as a big step backwards in security to make the only other option
> SECURITY DEFINER with a superuser as the owner.
Could you provide more details about that? If nothing else, this
could be handled with a non-C wrapper function, but I'm not clear
on the generality of the use-case.
> It's not too hard
> to come up with other use cases where you want to grant one class of
> users rights to do something only through a certain function, not
> directly.
Generally I'd imagine that that has something to do with permission
to call the function, not with who owns it.
Basically, if we go down the road Noah is proposing, I foresee a steady
stream of security bugs and ensuing random restrictions on what function
owners can do. I do not like that future.
regards, tom lane