On Fri, Dec 15, 2006 at 11:52:33AM -0500, Andrew Dunstan wrote: > Isn't the problem that they can do more than just things with the table? > If the trigger runs as the owner of the table it can do *anything* the > owner can do. So if we allow the alter privilege to include ability to > place a trigger then that privilege includes everything the owner can do > (including granting/revoking other privileges). Surely that is not what > was intended. Arguably we should invent a concept of an explicit trigger > owner.
I thought the problem was the other way round. That some person created a function as SECURITY DEFINER but restricted EXECUTE permissions. And now anybody can create a table and use that function as a trigger and it will be executed even though neither the owner of the table nor the person executing the trigger has EXECUTE permissions. Triggers don't have owners because like you said, the table owner controls them. The point is that there's no check that the table owner is actually allowed to execute the function being used as trigger. The trigger never runs as the owner of the table AIUI, only ever as the definer of the function or as session user. Have a nice day, -- Martijn van Oosterhout <firstname.lastname@example.org> http://svana.org/kleptog/ > From each according to his ability. To each according to his ability to > litigate.
Description: Digital signature