diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2006-01-13 18:06:45 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2006-01-13 18:06:45 +0000 |
| commit | 1564e92cea27a22ace7da635fe73fc23f96f8d4e (patch) | |
| tree | c3cc191a5dd42f56c7b56e4405e98ebafa5d488d /doc/src | |
| parent | 4b3252c4b8533bacfe6b14d866d2cdae79574b1c (diff) | |
Require the issuer of CREATE TYPE to own the functions mentioned in the
type definition. Because use of a type's I/O conversion functions isn't
access-checked, CREATE TYPE amounts to granting public execute permissions
on the functions, and so allowing it to anybody means that someone could
theoretically gain access to a function he's not supposed to be able to
execute. The parameter-type restrictions already enforced by CREATE TYPE
make it fairly unlikely that this oversight is meaningful in practice,
but still it seems like a good idea to plug the hole going forward.
Also, document the implicit grant just in case anybody gets the idea of
building I/O functions that might need security restrictions.
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/ref/create_type.sgml | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/doc/src/sgml/ref/create_type.sgml b/doc/src/sgml/ref/create_type.sgml index 1205605ca36..a39c244c6c7 100644 --- a/doc/src/sgml/ref/create_type.sgml +++ b/doc/src/sgml/ref/create_type.sgml @@ -1,5 +1,5 @@ <!-- -$PostgreSQL: pgsql/doc/src/sgml/ref/create_type.sgml,v 1.59 2005/11/01 21:09:50 tgl Exp $ +$PostgreSQL: pgsql/doc/src/sgml/ref/create_type.sgml,v 1.60 2006/01/13 18:06:45 tgl Exp $ PostgreSQL documentation --> @@ -447,6 +447,17 @@ CREATE TYPE <replaceable class="parameter">name</replaceable> ( </para> <para> + Because there are no restrictions on use of a data type once it's been + created, creating a base type is tantamount to granting public execute + permission on the functions mentioned in the type definition. (The creator + of the type is therefore required to own these functions.) This is usually + not an issue for the sorts of functions that are useful in a type + definition. But you might want to think twice before designing a type + in a way that would require <quote>secret</> information to be used + while converting it to or from external form. + </para> + + <para> In <productname>PostgreSQL</productname> versions before 7.3, it was customary to avoid creating a shell type by replacing the functions' forward references to the type name with the placeholder |