Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1so4ZC-0085xK-D5
	for pgsql-general@arkaria.postgresql.org; Tue, 10 Sep 2024 17:22:15 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1so4ZA-00GgTk-0N
	for pgsql-general@arkaria.postgresql.org; Tue, 10 Sep 2024 17:22:12 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1so4Z9-00GgRM-HA
	for pgsql-general@lists.postgresql.org; Tue, 10 Sep 2024 17:22:11 +0000
Received: from mail-lj1-x244.google.com ([2a00:1450:4864:20::244])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1so4Z1-000VKF-6F
	for pgsql-general@lists.postgresql.org; Tue, 10 Sep 2024 17:22:10 +0000
Received: by mail-lj1-x244.google.com with SMTP id 38308e7fff4ca-2f762de00fbso12320931fa.2
        for <pgsql-general@lists.postgresql.org>; Tue, 10 Sep 2024 10:22:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cybertec-at.20230601.gappssmtp.com; s=20230601; t=1725988922; x=1726593722; darn=lists.postgresql.org;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=AIH4dlq7CFid6x/+awSWMk6ZFl59yMcK+EH3FK3Btbg=;
        b=VVXjbqdvyX4tsnG1sk3TAPEImRcT2uX/6BUcxrcNL5OaD8f8S6IhYu5B0cAGC8gutT
         6IRM/8S08YWXyoZ4/p8w5EHzbjJ1e0FBzbDOG/xv24ueIRl3dRrH6RJJsKfquB6UM0aH
         K1jnR+0eRt/TCG3bZECgXr7KoC3iLqmo+n6isRkpQmq3XB3SDx/LwpppuZnjh02gC1HR
         2pIrvUV0SSXhzdoUl+nIT/8C1M/KRES2qdAczaFBeDtVteOAMFjfLv30n2epaGU3IJSi
         B0KxwrEUEsh8cuDaKNmgeYa7M5S6QeExwUBo3arFp1KdZCva4mmH1a8uIOiRobNW3hxo
         cpVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1725988922; x=1726593722;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=AIH4dlq7CFid6x/+awSWMk6ZFl59yMcK+EH3FK3Btbg=;
        b=kotctD90U2iEPfx+gXuUunCQTEqjslxqgi45t2dB2zwDlW8jLrXKLEkPB49hqvoR4H
         96NOtuWcLdv0oRzCuTSBCyWRosnTLGJqNxFII43kcsHwXKYhk66su0oDZnN7v2SuJvgZ
         4CuduNpJH6C+Ondqf+mNwTpBk/555o+prUzy92W31Y2TNp41DsMnEN8/VtQZ2jOaScAE
         Ei6pjFskRkEI1qL/GbB/yamQDS2vD25rSd0YslWlxgWfSg42PeT/p57dUDKAH+5bSgLG
         d3zbc8/mC3uVwdDDFi7z/7WUo4JSqcLA29C/IHvlilT2Pt2OGHXeO0SJZflX0/fbsD6Y
         exXA==
X-Forwarded-Encrypted: i=1; AJvYcCVXmPm+G3jGaZzemZOtKzJ0AsPHu0LkoSoKOAsK2SGxxwf7BFngMcyA+/Pz3j+QeEZTCeZNL2je0C1tlz36@lists.postgresql.org
X-Gm-Message-State: AOJu0Yxwehfshhs08zIAaF1Zxe/JWfvEv7iR+oqex2mKx0lW63CHKCMs
	yxLuESUJNjYsShWwDDqY7P+cZqL24OQ/KXqcVhPRy/wZHAIzjCPv9BOQirkudhDH9v8lFltUjx5
	yCmC+qA==
X-Google-Smtp-Source: AGHT+IEATmKLBWltFWWIzARfYjut5uW281/g0UWwaRbrWsSh6VJ6VY5YOeuySGOYTejivhbY2513Zg==
X-Received: by 2002:a05:651c:1991:b0:2ef:2490:46fb with SMTP id 38308e7fff4ca-2f77b7f2661mr2932681fa.37.1725988921710;
        Tue, 10 Sep 2024 10:22:01 -0700 (PDT)
Received: from [10.93.0.121] (p50992f7c.dip0.t-ipconnect.de. [80.153.47.124])
        by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5c401420b55sm1403756a12.38.2024.09.10.10.22.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 Sep 2024 10:22:01 -0700 (PDT)
Message-ID: <363f99f669d19bbb2776aa0b7f6b0d991d11d323.camel@cybertec.at>
Subject: Re: Strange permission effect depending on DEFERRABILITY
From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Achilleas Mantzios - cloud <a.mantzios@cloud.gatewaynet.com>, 
 "pgsql-general@lists.postgresql.org"
	 <pgsql-general@lists.postgresql.org>
Date: Tue, 10 Sep 2024 19:22:00 +0200
In-Reply-To: <40558bdd-d641-feac-84fe-65b3e87ec085@cloud.gatewaynet.com>
References: <89e33a53-909c-6a02-bfc6-2578ba974e16@cloud.gatewaynet.com>
	 <a3559b3c11330e59a4757b97d741c4cd6005d659.camel@cybertec.at>
	 <40558bdd-d641-feac-84fe-65b3e87ec085@cloud.gatewaynet.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.52.4 (3.52.4-1.fc40) 
MIME-Version: 1.0
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/363f99f669d19bbb2776aa0b7f6b0d991d11d323.camel%40cybertec.at>
Precedence: bulk

On Tue, 2024-09-10 at 12:20 +0300, Achilleas Mantzios - cloud wrote:
> On 9/10/24 00:09, Laurenz Albe wrote:
> > On Mon, 2024-09-09 at 16:14 +0300, Achilleas Mantzios - cloud wrote:
> > > The below runs on PostgreSQL 16.4
> > >=20
> > > We are trying to implement a certain operation based on a security de=
finer
> > > function : mariner_update_availability_date
> > >=20
> > > This is supposed to update a table : mariner , which has several othe=
r triggers :
> > >=20
> > >    [...]
> > >  =C2=A0=C2=A0zzzmariner_dmq_tg AFTER INSERT OR DELETE OR UPDATE ON ma=
riner DEFERRABLE INITIALLY DEFERRED FOR EACH ROW EXECUTE FUNCTION export_dm=
q()
> > >=20
> > > As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger.
> > > This function mariner_update_availability_date is supposed to be run =
by a user :
> > > cbt_results_import stripped of any privileges to the rest of the syst=
em. Here is
> > > what we get : when we SET the constraint of the last trigger to IMMED=
IATE, the
> > > function runs on behalf of its owner (postgres) who has all needed pr=
ivileges
> > > (as superuser) to run the update on mariner table and also run the tr=
iggers .
> > > However, when we run with this CONSTRAINT as DEFERRED then it seems t=
o NOT run
> > > the last deferrable trigger as postgres.
> > >=20
> > I have proposed a patch that fixes exactly that case:
> > https://commitfest.postgresql.org/49/4888/
> >=20
> > So far, the feedback seems to be that it is not considered a bug.
> > But that doesn't mean that we cannot change the behavior.
>=20
> Nice work! However I am not sure. What's a trigger owner btw in the=20
> thread :
> ? Do they mean the table owner? is the trigger creator / owner stored=20
> somewhere ? I dont see it in system tables or the schema dump. Or do=20
> they imply the trigger function owner ?

The owner of a trigger is always the owner of the table.

> Maybe controlling the queued and later executed trigger invocations=20
> security context via a new special GUC? such as :
>=20
> trigger_security_ctx =3D current_user (default) | table/trigger_owner |=
=20
> execution_triggered_user
>=20
> (in every case a SECURITY DEFINER function would override the above setti=
ng)

The PostgreSQL project has made bad experiences with parameters that change
the semantics of SQL statements, so I think that idea will meet resistance.

Besides, what I am proposing in the patch is not to use the owner of the
table, but the current_user at the time that the trigger is queued.

I had the impression that that is what you are looking for.
Executing as table owner can easily be done with a SECURITY DEFINER functio=
n.

Yours,
Laurenz Albe