On 19 December 2012 06:34, Magnus Hagander <mag...@hagander.net> wrote:
> Granting executability on pg_read_xyz is pretty darn close to granting > superuser, without explicitly asking for it. Well, you get "read only > superuser". If we want to make that step as easy as just GRANT, we > really need to write some *very* strong warnings in the documentation > so that people realize this. I doubt most people will realize it > unless we do that (and those who don't read the docs, whch is probably > a majority, never will). Good point. Can we do that explicitly with fine grained superuser-ness? GRANT SUPERUSER ON FUNCTION .... TO foo; > If you use SECURITY DEFINER, you can limit the functions to *the > specific files that you want to grant read on*. Which makes it > possible to actually make it secure. E.g. you *don't* have to give > full read to your entire database. Even better point > If you're comparing it to a blanket SECURITY DEFINER with no checks, > then yes, it's a simpler way to fire the cannon into your own foot, > yes. But if also gives you a way that makes it more likely that you > don't *realize* that you're about to fire a cannon into your foot. -- Simon Riggs http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
