* Gregory Stark ([EMAIL PROTECTED]) wrote: > Actually from a security point of view revoking public execute is pretty much > the same as making a function super-user-only. The only difference is how much > of a hassle it is for the super-user to grant access. Perhaps we should > reconsider whether any of the other super-user-only functions should be simply > not executable by default but work normally if granted.
Revoking public execute on it by default would definitely make me happier. I could be swayed either way on the explicit super-user check in the function itself. In the general case, imv we should at least attempt to consider the risk involved in improper handling of the permissions around super-user-only functions. Higher risk implies an extra check in the code to force use of SECURITY DEFINER functions to work around it, in an attempt to impart the severity of the risk. Thinking about it a bit more, I'd honestly like to see the check there for dblink(). That's not entirely fair of me though I suppose, I really don't feel comfortable with dblink() to begin with and don't expect I'll ever use it. :) Thanks, Stephen
Description: Digital signature