| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bruno Wolff III <bruno(at)wolff(dot)to> |
| Cc: | Martijn van Oosterhout <kleptog(at)svana(dot)org>, pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: Is a SERIAL column a "black box", or not? |
| Date: | 2006-05-01 16:12:14 |
| Message-ID: | 6368.1146499934@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Bruno Wolff III <bruno(at)wolff(dot)to> writes:
> The summary is that I was suggesting that default expressions, triggers and
> constraints should all run as the table owner instead of the invoker as
> there was little use for them to need the access of the invoker, while there
> was benefit in having them run as the owner.
I can see doing this for defaults and constraints, but there is a serious
objection for triggers: you could not use a trigger with
new.blame_me := current_user;
as a more-bulletproof implementation of the tracking column I was on
about before. Furthermore, there already is a way to express the
desired behavior for triggers (when it is in fact the desired behavior):
make the trigger function SECURITY DEFINER.
> In addition there is a mild security issue in that default expressions
> and constraints could be used as trojans so that inserting data into a
> table could allow that table owner the ability to do things they
> shouldn't be doing to the invoker's table.
This risk would exist anyway unless you put strange constraints on
RESET ROLE. It's in general no problem to get back to the outermost
level's security settings.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Larry Rosenman | 2006-05-01 17:28:21 | Re: Logging pg_autovacuum |
| Previous Message | Bruno Wolff III | 2006-05-01 16:01:35 | Re: Is a SERIAL column a "black box", or not? |