Greetings,
* Craig Ringer (craig@2ndquadrant.com) wrote:
> Untrusted PLs should be GRANTable with a NOTICE or WARNING telling the
> admin that GRANTing an untrusted PL effectively gives the user the ability
> to escape to superuser.
I don't know that we really want to get into the business of issuing a
NOTICE or WARNING in such cases. We don't do that in a lot of other
cases where non-superusers can be GRANT'd access which would allow them
to become a superuser and if we start doing it now then we're going to
need to go back and change the existing places to have such NOTICE or
WARNING, or we'll be inconsistent about it, which would be worse. I
also worry that we'd start wanting to have NOTICEs for when we are
allowing users to GRANT roles (like pg_monitor) that might get access to
data that isn't obvious, even if they aren't able to become a superuser
and it just gets ugly.
Thanks!
Stephen