Re: allowing privileges on untrusted languages
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Kohei KaiGai <kaigai@kaigai.gr.jp>, Simon Riggs <simon@2ndquadrant.com>, Peter Eisentraut <peter_e@gmx.net>, pgsql-hackers@postgresql.org
Date: 2013-01-27T18:09:50Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes: > On Fri, Jan 25, 2013 at 2:59 PM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote: >> 2013/1/20 Tom Lane <tgl@sss.pgh.pa.us>: >>> The traditional answer to that, which not only can be done already in >>> all existing releases but is infinitely more flexible than any >>> hard-wired scheme we could implement, is that you create superuser-owned >>> security-definer functions that can execute any specific operation you >>> want to allow, and then GRANT EXECUTE on those functions to just the >>> people who should have it. > This is valid, but I think that the people who want this functionality > are less interest in avoiding bugs in trusted procedures than they are > in avoiding the necessity for the user to have to learn the local > admin-installed collection of trusted procedures. Sure, but given that we are working on event triggers, surely the correct solution is to make sure that user-provided event triggers can cover permissions-checking requirements, rather than to invent a whole new infrastructure that's guaranteed to never really satisfy anybody. regards, tom lane