On 3/2/15 4:47 PM, Robert Haas wrote: > On Sat, Feb 28, 2015 at 12:27 AM, Stephen Frost <sfr...@snowman.net> wrote: >> While this generally "works", the usual expectation is that functions >> that should be superuser-only have a check in the function rather than >> depending on the execute privilege. I'm certainly happy to debate the >> merits of that approach, but for the purposes of this patch, I'd suggest >> you stick an if (!superuser()) ereport("must be superuser") into the >> function itself and not work about setting the correct permissions on >> it. > > -1. If that policy exists at all, it's a BAD policy, because it > prevents users from changing the permissions using DDL. I think the > superuser check should be inside the function, when, for example, it > masks some of the output data depending on the user's permissions. > But I see little virtue in handicapping an attempt by a superuser to > grant SELECT rights on pg_file_settings.
This is in fact how most if not all code ensures supervisor-only access to functions, so for the purpose of this patch, I think it is the correct approach. Someone may well change that soon after, if the other ongoing efforts conclude. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers