Tom Lane wrote:
Tim Bunce <tim.bu...@pobox.com> writes:
I do see a need for a GRANT check and I'm adding one now (based on
the code in CreateFunction() in functioncmds.c - thanks to RhodiumToad
on IRC for the pointer).
What exactly are you proposing to check, and where, and what do you
think that will fix?
If the concern is that someone could sabotage the behavior of a plperl
function by changing things around in the perl_init script, then I think
we have to forget about making it USERSET. Whether someone has been
granted permission to use plperl seems to me to have little to do with
whether it's okay to mess up a function (possibly a SECURITY DEFINER
one) belonging to someone else.
If we are seriously worried about use of %_SHARED in security definer
functions then ISTM the right thing might be to have more than one and
swap in the one for the effective user in a security definer function.
Or possibly even disable it altogether in security definer functions.
%_SHARED has been around for several years now, and if there are genuine
security concerns about it ISTM they would apply today, regardless of
these patches.
cheers
andrew
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
