On Fri, Mar 19, 2010 at 10:29 PM, KaiGai Kohei <kaigai@kaigai.gr.jp> wrote:
> Is it an expected behavior that PostgreSQL tries to execute foo() with
> privileges of the owner of language call handler because of its security
> definer property? This server crash is just a result.
I'm inclined to feel (and Tom's response only reinforces this) that
the actual behavior isn't critical. I'd be happy with (1) executing
foo() with the privileges of the language owner or (2) ignoring the
SECURITY DEFINER attribute in this context and executing foo() without
changing privileges or (3) throwing an error. We should just do
whatever complicates the code the least. Your proposed patch seems
good from that point of view, though I'm not clear on whether it's
otherwise reasonable or which of the above behaviors it actually
implements.
...Robert