Re: Security leak with trigger functions?

Peter,

> PostgreSQL only allows a trigger action of "call this function", so in
> the SQL standard context that would mean we'd need to check the EXECUTE
> privilege of the owner of the trigger.  The trick is figuring out who
> the owner is.  If it's the owner of the table, then TRIGGER privilege
> is effectively total control over the owner of the table.  If it's
> whoever created the trigger, it might be useful, but I don't see how
> that is compatible with the intent of the SQL standard.

If that's the case, then a separate TRIGGER priveledge would seem to be 
superfluous.

One thing to think about, though; our model allows granting ALTER 
privelidge on a table to roles other than the table owner.  It would seem 
kind of inconsistent to be able to grant non-owner roles the ability to 
drop a column, but restrict only the owner to adding a trigger.  For one 
thing, if you have a non-owner role which has ALTER permission and wants 
to add an FK, how would that work?

-- 
--Josh

Josh Berkus
PostgreSQL @ Sun
San Francisco