Re: AW: AW: AW: [PATCH] Re: Setuid functions
От | Peter Eisentraut |
---|---|
Тема | Re: AW: AW: AW: [PATCH] Re: Setuid functions |
Дата | |
Msg-id | Pine.LNX.4.30.0106251826410.724-100000@peter.localdomain обсуждение исходный текст |
Ответ на | AW: AW: AW: [PATCH] Re: Setuid functions (Zeugswetter Andreas SB <ZeugswetterA@wien.spardat.at>) |
Список | pgsql-hackers |
Zeugswetter Andreas SB writes: > Hmm? A non-setuid function can execute code written by another user, > but is only allowed to do things the "invoker" has privileges for. > Thus it is a convenience, but does not allow the invoker to do anything > he could not type himself. > Not so with setuid functions, that is exactly why they are handy. > Without making the "definer" need an additional grant for creating such > a function, it would be like giving him all the privs he has > "with grant option". SQL99 has an answer for this: [11.49 GR1] 1) If R is a schema-level routine, then a privilege descriptor is created that defines the EXECUTE privilegeon R to the <authorization identifier> that owns the schema that includes R. The grantor forthe privilege descriptor is set to the special grantor value "_SYSTEM". This privilege is grantable if and only if one of the following is satisfied: a) R is an SQL routine and all of the privileges necessary for the <authorization identifier> to successfullyexecute the <SQL procedure statement> contained in the <routine body> are grantable.The necessary privileges include the EXECUTE privilege on every subject routine of every <routine invocation> contained in the <SQL procedure statement>. What this means (to me) is that unless you have grantable privileges for all the things that your function does, you can't grant the EXECUTE privilege to anyone. This rule, while logical, isn't exactly pleasant, since we can hardly evaluate statically what a function will do (shades of the halting problem). I think your concern is valid. Maybe we can do this: 1. The proposed commands only work in "setuid" functions (like in Unix) 2. To create a setuid function you need some privilege. Part 2 will be a problem, but both the implementation process and the implementation itself might terminate in finite time. ;-) -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
В списке pgsql-hackers по дате отправления: