Skip to content

Commit 6fa66ec

Browse files
robertmhaasrobertmhaas
committed
Assorted improvements to SECURITY DEFINER functions documentation.
Add a cross-reference from the part of the page that introdues SECURITY INVOKER and SECURITY DEFINER to the part of the page that talks about writing SECURITY DEFINER functions safely, so that users are less likely to miss it. Remove discussion of the pre-8.3 behavior on the theory that it's probably not very relevant any more, that release having gone out of support nearly a decade ago. Add a mention of the new createrole_self_grant GUC, which in certain cases might need to be set to a safe value to avoid unexpected consequences. Possibly this section needs major surgery rather than just these small tweaks, but hopefully this is at least a small step forward. Discussion: http://postgr.es/m/CA+Tgmoauqd1cHQjsNEoxL5O-kEO4iC9dAPyCudSvmNqPJGmy9g@mail.gmail.com
1 parent 3cdf750 commit 6fa66ec

File tree

1 file changed

+12
-6
lines changed

1 file changed

+12
-6
lines changed

doc/src/sgml/ref/create_function.sgml

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -411,7 +411,9 @@ CREATE [ OR REPLACE ] FUNCTION
411411
is to be executed with the privileges of the user that calls it.
412412
That is the default. <literal>SECURITY DEFINER</literal>
413413
specifies that the function is to be executed with the
414-
privileges of the user that owns it.
414+
privileges of the user that owns it. For information on how to
415+
write <literal>SECURITY DEFINER</literal> functions safely,
416+
<link linkend="sql-createfunction-security">see below</link>.
415417
</para>
416418

417419
<para>
@@ -776,6 +778,11 @@ SELECT * FROM dup(42);
776778
<secondary>use in securing functions</secondary>
777779
</indexterm>
778780

781+
<indexterm>
782+
<primary><varname>createrole_self_grant</varname> configuration parameter</primary>
783+
<secondary>use in securing functions</secondary>
784+
</indexterm>
785+
779786
<para>
780787
Because a <literal>SECURITY DEFINER</literal> function is executed
781788
with the privileges of the user that owns it, care is needed to
@@ -815,11 +822,10 @@ $$ LANGUAGE plpgsql
815822
</para>
816823

817824
<para>
818-
Before <productname>PostgreSQL</productname> version 8.3, the
819-
<literal>SET</literal> clause was not available, and so older functions may
820-
contain rather complicated logic to save, set, and restore
821-
<varname>search_path</varname>. The <literal>SET</literal> clause is far easier
822-
to use for this purpose.
825+
If the security definer function intends to create roles, and if it
826+
is running as a non-superuser, <varname>createrole_self_grant</varname>
827+
should also be set to a known value using the <literal>SET</literal>
828+
clause.
823829
</para>
824830

825831
<para>

0 commit comments

Comments
 (0)