FAQ
I discovered today that when I create a function in a schema that another
user has "grant usage" on, they are able to execute the function even though
I've not granted them "execute" on the function.

Is this normal behavior (from the manual I don't believe it is)?

If so, is the best solution to put all of our functions into separate
schemas and grant usage on those based on what groups of functions someone
needs?

Thanks!

Jed S. Walker

Search Discussions

  • Tom Lane at May 5, 2005 at 8:24 pm

    "Walker, Jed S" <Jed_Walker@cable.comcast.com> writes:
    I discovered today that when I create a function in a schema that another
    user has "grant usage" on, they are able to execute the function even though
    I've not granted them "execute" on the function.
    Is this normal behavior (from the manual I don't believe it is)?
    Yes, it is, because the default for functions is to grant PUBLIC EXECUTE
    access. Revoke that if you don't want it.

    regards, tom lane
  • Walker, Jed S at May 6, 2005 at 2:46 pm
    Do you mean that when I create a function an implicit "grant execute on
    function" is done? If so, we would have to do a revoke with each grant. Or,
    do you mean there is a public grant to "execute any function" that I can
    just remove when I create the database (and if so, how?)


    -----Original Message-----
    From: Tom Lane
    Sent: Thursday, May 05, 2005 2:24 PM
    To: Walker, Jed S
    Cc: 'pgsql-novice@postgresql.org'
    Subject: Re: [NOVICE] Execute function without execute privilege

    "Walker, Jed S" <Jed_Walker@cable.comcast.com> writes:
    I discovered today that when I create a function in a schema that
    another user has "grant usage" on, they are able to execute the
    function even though I've not granted them "execute" on the function.
    Is this normal behavior (from the manual I don't believe it is)?
    Yes, it is, because the default for functions is to grant PUBLIC EXECUTE
    access. Revoke that if you don't want it.

    regards, tom lane
  • Bruno Wolff III at May 6, 2005 at 3:42 pm

    On Fri, May 06, 2005 at 08:45:41 -0600, "Walker, Jed S" wrote:
    Do you mean that when I create a function an implicit "grant execute on
    function" is done? If so, we would have to do a revoke with each grant. Or,
    do you mean there is a public grant to "execute any function" that I can
    just remove when I create the database (and if so, how?)
    When a function is created it is created with "public" having execute access
    to it. You will need to do a revoke after each function creation.
  • Tom Lane at May 6, 2005 at 3:43 pm

    "Walker, Jed S" <Jed_Walker@cable.comcast.com> writes:
    Do you mean that when I create a function an implicit "grant execute on
    function" is done?
    Effectively, yes. See the GRANT manual page for details.

    regards, tom lane
  • Walker, Jed S at May 6, 2005 at 3:28 pm
    Another question, if we put functions into a schema and then use "grant
    usage" on the schema is that considered an OK practice in postgresql to
    limit users to a group of functions (I assume they would still have to have
    usage on the schema to get to them).

    -----Original Message-----
    From: Walker, Jed S
    Sent: Friday, May 06, 2005 8:46 AM
    To: 'Tom Lane'
    Cc: 'pgsql-novice@postgresql.org'
    Subject: RE: [NOVICE] Execute function without execute privilege

    Do you mean that when I create a function an implicit "grant execute on
    function" is done? If so, we would have to do a revoke with each grant. Or,
    do you mean there is a public grant to "execute any function" that I can
    just remove when I create the database (and if so, how?)


    -----Original Message-----
    From: Tom Lane
    Sent: Thursday, May 05, 2005 2:24 PM
    To: Walker, Jed S
    Cc: 'pgsql-novice@postgresql.org'
    Subject: Re: [NOVICE] Execute function without execute privilege

    "Walker, Jed S" <Jed_Walker@cable.comcast.com> writes:
    I discovered today that when I create a function in a schema that
    another user has "grant usage" on, they are able to execute the
    function even though I've not granted them "execute" on the function.
    Is this normal behavior (from the manual I don't believe it is)?
    Yes, it is, because the default for functions is to grant PUBLIC EXECUTE
    access. Revoke that if you don't want it.

    regards, tom lane

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppgsql-novice @
categoriespostgresql
postedMay 5, '05 at 7:53p
activeMay 6, '05 at 3:43p
posts6
users3
websitepostgresql.org
irc#postgresql

People

Translate

site design / logo © 2022 Grokbase