On 7/9/08, ITAGAKI Takahiro <[EMAIL PROTECTED]> wrote: > Dean Rasheed <[EMAIL PROTECTED]> wrote: > > * client_sql_trace = on | off - settable by a normal user to allow a > > client session to see the sql_trace output. If this parameter is on, > > the sql_trace will be logged as NOTICE output. > > > In terms of security, is it ok to show normal users SQLs used in functions > that are owned by other users? Users can call not-owned functions only if > they have EXECUTE privilege on them. -- presently we can see function > bodies from pg_proc.prosrc freely, though.
Different owner is not a problem, but SECURITY DEFINER may be. That can be solved by turning the setting off on entry to such function, by non-superuser. Like we handle search_path. -- marko -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
