On Tue, Mar 12, 2024 at 01:22:33PM +0100, Laurenz Albe wrote:
> On Tue, 2024-03-12 at 12:40 +0200, Maxim Boguk wrote:
> > May I suggest a change to always allow superuser run
> > REFRESH MATERIALIZED VIEW (may be via set role or similar mechanics)?
>
> If the query ran with superuser permissions, that would be
> a security problem:
>
> CREATE TABLE log (t text);
>
> CREATE FUNCTION f() RETURNS integer LANGUAGE sql
> AS 'INSERT INTO log VALUES (''x''); SELECT 42';
>
> CREATE MATERIALIZED VIEW v AS SELECT f();
>
> Now imagine you create a malicious trigger on "log" and
> get a superuser to refresh the materialized view.
>
>
> I don't see why it should be a problem if a superuser gets
> "permission denied" in such a case. They can also get it if
> they call a SECURITY DEFINER function owned by a non-superuser.
Can we improve the error that superusers get so they realize how to fix
it?
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.