(2010/03/20 13:37), Tom Lane wrote: > KaiGai Kohei<kai...@kaigai.gr.jp> writes: >> Is it an expected behavior that PostgreSQL tries to execute foo() with >> privileges of the owner of language call handler because of its security >> definer property? This server crash is just a result. > > A language call handler has no function properties of its own --- which > is why attaching SECURITY DEFINER to it is both useless and meaningless. > The appropriate function properties for any call are those of the user > function being called, which the handler is merely a support for.
OK, I also think the call handlers should work transparently like air. > You could argue that we should put call handlers into their own table > instead of pg_proc, since they aren't really user-callable functions; > that would prevent people from thinking that something like this is > sane. However, they share just enough infrastructure with real > functions that it didn't seem worth doing it that way. > > I see no value whatsoever in making the world safe for people to attach > SECURITY DEFINER to handlers. It's an incorrect declaration, and > superusers need to know better than to declare C functions with > incorrect properties. I basically agree that this matter does not happen unless user intend to assign SECURITY DEFINER attribute on the language call handlers, although it is nonsense. The reason why I reported it is that it was not clear for me whether the development team knows this matter, and I doubted the design we can assign this nonsense attribute from the perspective of fool-proof. Fool-proof is a term from human-interface. It tells us manufactured-product should work safely, even if user tries to abuse it. A microwave-oven does not work without closing its door, for example. In my sense, we should care about known matters at least. Thanks, -- KaiGai Kohei <kai...@ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
