On Wed, Jul 16, 2014 at 07:45:56PM -0400, Tom Lane wrote: > A look at check_object_ownership suggests that you could take the TRIGGER > case out of the generic relation path and make it a special case that > allows either ownership or TRIGGER permission. > > TBH, though, I'm not sure this is something to pursue. We discussed all > this back in 2006. As I pointed out at the time, giving somebody TRIGGER > permission is tantamount to giving them full control of your account: > http://www.postgresql.org/message-id/21827.1166115...@sss.pgh.pa.us > because they can install a trigger that will execute arbitrary code with > *your* privileges the next time you modify that table. > > I think we should get rid of the separate TRIGGER privilege altogether, > not make it an even bigger security hole.
Uh, how does removing a trigger cause a larger security hole? As long as users can create triggers, removal seems logical. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
