Martijn van Oosterhout wrote:
On Fri, Dec 15, 2006 at 11:52:33AM -0500, Andrew Dunstan wrote:
Isn't the problem that they can do more than just things with the table? If the trigger runs as the owner of the table it can do *anything* the owner can do. So if we allow the alter privilege to include ability to place a trigger then that privilege includes everything the owner can do (including granting/revoking other privileges). Surely that is not what was intended. Arguably we should invent a concept of an explicit trigger owner.


I thought the problem was the other way round. That some person created
a function as SECURITY DEFINER but restricted EXECUTE permissions. And
now anybody can create a table and use that function as a trigger and
it will be executed even though neither the owner of the table nor the
person executing the trigger has EXECUTE permissions.

Triggers don't have owners because like you said, the table owner
controls them. The point is that there's no check that the table owner
is actually allowed to execute the function being used as trigger.

The trigger never runs as the owner of the table AIUI, only ever as the
definer of the function or as session user.



OK, sorry for the confusion.

cheers

andrew


---------------------------(end of broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at

               http://www.postgresql.org/about/donate

Reply via email to