On 3/2/15 4:47 PM, Robert Haas wrote:
> On Sat, Feb 28, 2015 at 12:27 AM, Stephen Frost <sfr...@snowman.net> wrote:
>> While this generally "works", the usual expectation is that functions
>> that should be superuser-only have a check in the function rather than
>> depending on the execute privilege. I'm certainly happy to debate the
>> merits of that approach, but for the purposes of this patch, I'd suggest
>> you stick an if (!superuser()) ereport("must be superuser") into the
>> function itself and not work about setting the correct permissions on
>> it.
>
> -1. If that policy exists at all, it's a BAD policy, because it
> prevents users from changing the permissions using DDL. I think the
> superuser check should be inside the function, when, for example, it
> masks some of the output data depending on the user's permissions.
> But I see little virtue in handicapping an attempt by a superuser to
> grant SELECT rights on pg_file_settings.
This is in fact how most if not all code ensures supervisor-only access
to functions, so for the purpose of this patch, I think it is the
correct approach. Someone may well change that soon after, if the other
ongoing efforts conclude.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
