On Fri, Feb 11, 2022 at 05:05:20PM -0500, Tom Lane wrote: > Bryn Llewellyn <b...@yugabyte.com> writes: > > I confess that I'm surprised by the choice of the default behavior. It > > seems to be at odds with the principle of least privilege that insists that > > you actively opt in to any relevant privilege. > > I'd be the first to agree that this behavior sacrifices security > principles for convenience. However, it's not that big a deal > in practice, because functions that aren't SECURITY DEFINER can't > do anything that the caller couldn't do anyway. You do need to > be careful about the default PUBLIC grant if you're making a > SECURITY DEFINER function, but that's a minority use-case.
How would you do that securely? Create the function and set its permissions in a transaction block? > (I wonder if it'd be practical or useful to emit a warning when > granting permissions on an object that already has a grant of > the same permissions to PUBLIC. That would at least cue people > who don't understand about this behavior that they ought to look > more closely.) Agreed. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
