Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)

Kevin Grittner <kevin.grittner@wicourts.gov>

From: "Kevin Grittner" <Kevin.Grittner@wicourts.gov>
To: "Stephen Frost" <sfrost@snowman.net>, "Tom Lane" <tgl@sss.pgh.pa.us>
Cc: "Robert Haas" <robertmhaas@gmail.com>, "Noah Misch" <noah@leadboat.com>,<pgsql-hackers@postgresql.org>
Date: 2012-06-12T21:08:09Z
Lists: pgsql-hackers
>Stephen Frost <sfrost@snowman.net> wrote: 
 
> If we had an independent way to have the function run as a
> specific user, where that user DIDN'T own the function, I think
> Kevin's use case would be satisfied.
 
I agree.  I'm not sure quite what that would look like, but maybe
SECURITY ROLE <rolename> or some such could be an alternative to
SECURITY INVOKER and SECURITY DEFINER.  (I haven't looked to see
what the standard has here.)
 
-Kevin