Re: Allow GRANT TRIGGER privilege to DROP TRIGGER (Re: Bug ##7716)

On Wed, Jul 16, 2014 at 07:45:56PM -0400, Tom Lane wrote:
> A look at check_object_ownership suggests that you could take the TRIGGER
> case out of the generic relation path and make it a special case that
> allows either ownership or TRIGGER permission.
> 
> TBH, though, I'm not sure this is something to pursue.  We discussed all
> this back in 2006.  As I pointed out at the time, giving somebody TRIGGER
> permission is tantamount to giving them full control of your account:
> http://www.postgresql.org/message-id/21827.1166115978@sss.pgh.pa.us
> because they can install a trigger that will execute arbitrary code with
> *your* privileges the next time you modify that table.
> 
> I think we should get rid of the separate TRIGGER privilege altogether,
> not make it an even bigger security hole.

Uh, how does removing a trigger cause a larger security hole?  As long
as users can create triggers, removal seems logical.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +