Andres Freund <and...@anarazel.de> writes: > On 2021-04-12 23:51:02 +0300, Andrey Borodin wrote: >> Do I risk having some extra superusers in my installation if I allow >> everyone to create LEAKPROOF functions?
> I think that depends on what you define "superuser" to exactly > be. Defining it as "has a path to executing arbitrary native code", I > don't think, if implemented sensibly, allowing to set LEAKPROOF on new > functions would equate superuser permissions. But you soon after might > hit further limitations where lifting them would have such a risk, > e.g. defining new types with in/out functions. I think the issue here is more that superuser = "able to break the security guarantees of the database". I doubt that falsely labeling a function LEAKPROOF can get you more than the ability to read data you're not supposed to be able to read ... but that ability is then available to all users, or at least all users who can execute the function in question. So it definitely is a fairly serious security hazard, and one that's not well modeled by role labels. If you give somebody e.g. pg_read_all_data privileges, you don't expect that that means they can give it to other users. regards, tom lane