Re: lowering privs in SECURITY DEFINER function

Excerpts from Robert Haas's message of dom abr 10 13:37:46 -0300 2011:

> It's maybe worth noting here that what's being asked for is roughly
> what you get from UNIX's distinction between euid and ruid.  Many
> programs that run setuid root perform a few operations that require
> root privileges up front, and then drop privs.  To what degree that
> model applies in an SQL environment I'm not sure, but it might be
> worth looking at some of the parallels, as well as some of the ways
> that the UNIX mechanism has managed to cause all sorts of privilege
> escalation bugs over the years, to make sure we don't repeat those
> mistakes.

Thanks for mentioning that.  It made me recall a couple of articles I
read some time ago,
http://lwn.net/Articles/416494/
and
http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html

-- 
Álvaro Herrera <alvherre@commandprompt.com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support