Participants
Greg Steffensen
Greg Steffensen
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Greg SteffensenGreg Steffensen
Dec 09, 2007
#2Tom LaneTom Laneto Greg Steffensen (#1)
Dec 09, 2007
#3Greg SteffensenGreg Steffensento Tom Lane (#2)
Dec 09, 2007

function permissions question

Started by Greg Steffensenover 18 years ago3 messagesgeneral
Jump to latest
#1Greg Steffensen
Greg Steffensen
greg.steffensen@gmail.com

Hey, I'm slightly confused about how the permission checking is done
when executing functions. Basically, users that I've never granted
execution permissions to are able to execute functions. Basically,
why does this script (which I've tested on a fresh db, executing via
psql as a superuser) succeed:

--------------
CREATE SCHEMA testschema;

CREATE FUNCTION testschema.testfunc()
RETURNS character varying AS
$BODY$SELECT 'foobar'::varchar;$BODY$
LANGUAGE 'sql' VOLATILE;

CREATE USER testuser;

GRANT USAGE ON SCHEMA testschema TO testuser;

SET SESSION AUTHORIZATION testuser;

SELECT testschema.testfunc();
------------------

But permission checking works the way I thought it was supposed to
when dealing with tables, like when I execute this instead, and get a
permissions failure:

-----------------
CREATE SCHEMA testschema;

CREATE TABLE testschema.testtable (testcolumn VARCHAR);

CREATE USER testuser;

GRANT USAGE ON SCHEMA testschema TO testuser;

SET SESSION AUTHORIZATION testuser;

SELECT * FROM testschema.testtable;
----------------

Any help is greatly appreciated. Thanks,

Greg

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Greg Steffensen (#1)
Re: function permissions question

"Greg Steffensen" <greg.steffensen@gmail.com> writes:

Hey, I'm slightly confused about how the permission checking is done
when executing functions. Basically, users that I've never granted
execution permissions to are able to execute functions.

You didn't read the part of the GRANT man page that says that functions
have execute permissions granted to PUBLIC by default.

You can revoke that if you don't like it.

regards, tom lane

#3Greg Steffensen
Greg Steffensen
greg.steffensen@gmail.com
In reply to: Tom Lane (#2)
Re: function permissions question

Excellent, thanks for the quick response.

Greg

Show quoted text

On Dec 9, 2007 1:18 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

"Greg Steffensen" <greg.steffensen@gmail.com> writes:

Hey, I'm slightly confused about how the permission checking is done
when executing functions. Basically, users that I've never granted
execution permissions to are able to execute functions.

You didn't read the part of the GRANT man page that says that functions
have execute permissions granted to PUBLIC by default.

You can revoke that if you don't like it.

regards, tom lane

← Back to Topics