Re: Security leak with trigger functions?
| От | Andrew Dunstan |
|---|---|
| Тема | Re: Security leak with trigger functions? |
| Дата | |
| Msg-id | 4582D880.1060100@dunslane.net обсуждение исходный текст |
| Ответ на | Re: Security leak with trigger functions? (Martijn van Oosterhout <kleptog@svana.org>) |
| Список | pgsql-hackers |
Martijn van Oosterhout wrote: > On Fri, Dec 15, 2006 at 11:52:33AM -0500, Andrew Dunstan wrote: > >> Isn't the problem that they can do more than just things with the table? >> If the trigger runs as the owner of the table it can do *anything* the >> owner can do. So if we allow the alter privilege to include ability to >> place a trigger then that privilege includes everything the owner can do >> (including granting/revoking other privileges). Surely that is not what >> was intended. Arguably we should invent a concept of an explicit trigger >> owner. >> > > I thought the problem was the other way round. That some person created > a function as SECURITY DEFINER but restricted EXECUTE permissions. And > now anybody can create a table and use that function as a trigger and > it will be executed even though neither the owner of the table nor the > person executing the trigger has EXECUTE permissions. > > Triggers don't have owners because like you said, the table owner > controls them. The point is that there's no check that the table owner > is actually allowed to execute the function being used as trigger. > > The trigger never runs as the owner of the table AIUI, only ever as the > definer of the function or as session user. > > > OK, sorry for the confusion. cheers andrew
В списке pgsql-hackers по дате отправления: