Re: lowering privs in SECURITY DEFINER function

Excerpts from A.M.'s message of mié abr 06 19:08:35 -0300 2011:

> That's really strange considering that the new role may not normally
> have permission to switch to the original role. How would you handle
> the case where the security definer role is not the super user?

As I said to Jeff, it's up to the creator of the wrapper function to
ensure that things are safe.  Perhaps this new operation should only be
superuser-callable, for example.

> How would you prevent general SQL attacks when manually popping the
> authentication stack is allowed?

The popping and pushing operations would be restricted.  You can only
pop a single frame, and pushing it back before returning is mandatory.

-- 
Álvaro Herrera <alvherre@commandprompt.com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support