On Sat, 2007-09-01 at 13:55 -0400, Tom Lane wrote: > You already have that issue with respect to the default public execute > permissions on the function. The standard solution is to do it in a > transaction block --- then no one can even see the function until you > commit.
It might be a good idea to have the ability to revoke privileges at CREATE FUNCTION time also. That could clutter up the CREATE FUNCTION syntax, but would offer an opportunity to document the danger of default public execute in a SECURITY DEFINER function. Something like: CREATE FUNCTION ... LANGUAGE plpgsql SECURITY DEFINER REVOKE EXECUTE FROM PUBLIC; Even if we don't do that, we should at least document your standard solution here: http://www.postgresql.org/docs/8.2/static/sql-createfunction.html It is already documented here: http://www.postgresql.org/docs/8.2/static/sql-grant.html But the CREATE FUNCTION page has a section titled "Writing SECURITY DEFINER Functions Safely", so I think it's useful to have it there, too. Regards, Jeff Davis ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq
