On Wed, Sep 20, 2006 at 11:59:52AM +0200, Markus Schaber wrote:
> But I have the possibility to "chmod a-x" before "chmod +s" the file.
>
> Maybe we should add "[NOT] PUBLICLY EXCUTABLE"[1] keywords to CREATE
> FUNCTION, with the default being the current behaviour for now (possibly
> configurable
Hi, Martijn,
Martijn van Oosterhout wrote:
> Someone writing SECURITY DEFINER in their function definition has to be
> understood to know what they're doing. After all, "chmod +s" doesn't
> reset global execute permissions either, because that would be far too
> confusing. The same applies here I
Jim C. Nasby wrote:
This pg_dump issue keeps biting us in the rear... I think at the very
least we should have a means for a dump file to tell the backend that
it's about to process a dump file generated by version XYZ. That at
least gives us the ability to handle prior version incompatibilites.
Jim C. Nasby wrote:
> On Mon, Sep 18, 2006 at 01:59:00PM -0400, Andrew Dunstan wrote:
> >
> > Pascal Meunier wrote:
> > >Thanks for answering; I appreciate it, as well as the efforts of all the
> > >people who contributed to this database that I now use in my projects.
> > >
> > >However, I feel
On Mon, Sep 18, 2006 at 01:59:00PM -0400, Andrew Dunstan wrote:
>
> Pascal Meunier wrote:
> >Thanks for answering; I appreciate it, as well as the efforts of all the
> >people who contributed to this database that I now use in my projects.
> >
> >However, I feel that making a decision based on th
On Mon, Sep 18, 2006 at 02:49:23PM -0400, Pascal Meunier wrote:
> regardless of the outcome. Moreover, I'd rather be a carpet to the
> PostgreSQL developers than be cited as the cause for a security improvement
> not being made, due to having antagonized so much the developers. Please,
> consider
On 9/18/06 2:00 PM, "Tom Lane" <[EMAIL PROTECTED]> wrote:
> Pascal Meunier <[EMAIL PROTECTED]> writes:
>> I asked MITRE to provide a CCE number for this issue (the CCE is a new
>> effort like the CVE, but for configuration issues instead of
>> vulnerabilities). I'll let you know if it happens.
Pascal Meunier <[EMAIL PROTECTED]> writes:
> I asked MITRE to provide a CCE number for this issue (the CCE is a new
> effort like the CVE, but for configuration issues instead of
> vulnerabilities). I'll let you know if it happens.
Trying to force us to change things by getting Mitre involved is
Pascal Meunier wrote:
Thanks for answering; I appreciate it, as well as the efforts of all the
people who contributed to this database that I now use in my projects.
However, I feel that making a decision based on the number of prior and
possible future complaints is a poor excuse to not do th
Thanks for answering; I appreciate it, as well as the efforts of all the
people who contributed to this database that I now use in my projects.
However, I feel that making a decision based on the number of prior and
possible future complaints is a poor excuse to not do the right thing. A
low num
"Jim C. Nasby" <[EMAIL PROTECTED]> writes:
> On Thu, Sep 14, 2006 at 10:24:43AM -0400, Pascal Meunier wrote:
>> My request is to allow changing default permissions for function creation, a
>> la "umask", or at least not give PUBLIC execute permissions by default.
> Hrm... do we have any other obje
On Thu, Sep 14, 2006 at 10:24:43AM -0400, Pascal Meunier wrote:
> First, I asked about this on #postgresql, and I realize that this request
> would be a low priority item. Yet, it would be an improvement for security
> reasons.
>
> When creating a function using EXTERNAL SECURITY DEFINER, by defa
First, I asked about this on #postgresql, and I realize that this request
would be a low priority item. Yet, it would be an improvement for security
reasons.
When creating a function using EXTERNAL SECURITY DEFINER, by default PUBLIC
has execute privileges on it. That's unexpected given that whe
13 matches
Mail list logo
