Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ryeBd-00HJi5-Ne for pgsql-general@arkaria.postgresql.org; Sun, 21 Apr 2024 20:53:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ryeBb-00G753-T3 for pgsql-general@arkaria.postgresql.org; Sun, 21 Apr 2024 20:53:19 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ryeBa-00G74s-1Z for pgsql-general@lists.postgresql.org; Sun, 21 Apr 2024 20:53:19 +0000 Received: from fhigh6-smtp.messagingengine.com ([103.168.172.157]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ryeBR-002E5l-HN for pgsql-general@lists.postgresql.org; Sun, 21 Apr 2024 20:53:17 +0000 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 0CBB9114008C; Sun, 21 Apr 2024 16:53:07 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Sun, 21 Apr 2024 16:53:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1713732787; x=1713819187; bh=3GCyYLnZJHjosa9dWPk7QpAta739x8MQYpEgal481+c=; b= iZB9mZTWsth6XSruq4yrwfzDGM0+lktGZ4OEhx4BBAvQPPBbvOkUErwXa/TW+lyR LV8IWCppWB32CcCgv2+m1kDYuwA1CG6tjr0WZGln72f43ZlDZgAgCmoqpKBfaPas 4NZyOJOo8uIbXq6yDjyEd+NAe3+qUQERPbF+vll7vMEbSo2s9Bk61war5+U4fgsH aUTAnXZci9aeUnde30caHnM2mG+Z17gpFRCtMazXbm2ik2dXnzzwjLBoHi8WPKH0 Ztzs6IZAzpmAJe+G0CBayU+AWQQcye1i3T3J2viAMJICtCkMOkS3qITFXD+SszHE U8O/YGk6bgWyYcOvBOiFcw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1713732787; x= 1713819187; bh=3GCyYLnZJHjosa9dWPk7QpAta739x8MQYpEgal481+c=; b=d XK9DrdEsgHhFVIwR4OABLGqYDxSlVEkihRfSPbPJ8r84ldw5uWUyCciNwDpaY6w0 HMmIXbDZOccHQRl7NBT37Jp5mMvQZV4ODclC3NyYVIcQQkGy4YzAeg8FAeW9HnqV SWT/MgY8DojGTaK9zgLXLZ+IuCHA+8LNJJXg8fGyn1LybYYc0US3Rsr0G9y1fCo+ dyjubri+Z24d5pzBQFraSZIqcTntVJywxtZ8WXATi1bQjOYkSajGWyl9ATwtvi/E gM/U+iXt0QsjTsmChUUuaIiGAxle//sdPqLFTpJWodCveEjHDm5XAeVuMyctqPSf NFeZ2vvDPRerksfw2AU7A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudekjedgudehjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfuvfevfhfhjggtgfesthekredttddvjeenucfhrhhomheptegu rhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrd gtohhmqeenucggtffrrghtthgvrhhnpefgudefkefhveefleevieeuveehvdduudekuddv vdelhfeuueeijedtuedvvedvueenucffohhmrghinhepphhoshhtghhrvghsqhhlrdhorh hgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprggu rhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomh X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 21 Apr 2024 16:53:05 -0400 (EDT) Message-ID: <73f0e7a2-b958-4a95-96d8-08e08909c9c1@aklaver.com> Date: Sun, 21 Apr 2024 13:53:05 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: error in trigger creation To: yudhi s , Tom Lane Cc: "David G. Johnston" , pgsql-general References: <2720974.1713710606@sss.pgh.pa.us> Content-Language: en-US From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 4/21/24 11:20, yudhi s wrote: > > On Sun, Apr 21, 2024 at 8:13 PM Tom Lane > wrote: > > > So do you mean , we should not create the event trigger using the > "security definer" , rather have the super user do this each time we > have to create the event trigger? > > Actually , I am not very much aware about the security part, but is it > fine to give the super user privilege to the application user(say > app_user) from which normally scripts/procedures get executed by the > application, but nobody(individual person) can login using that user. > > Additionally in other databases, triggers are driven by some > specific privileges (say for example in oracle "create trigger" > privilege). And it doesn't need any super user and we were having many Which Postgres has https://www.postgresql.org/docs/current/ddl-priv.html TRIGGER Allows creation of a trigger on a table, view, etc. but you are talking about event triggers https://www.postgresql.org/docs/current/sql-createeventtrigger.html where "Only superusers can create event triggers." To paraphrase Henry Ford, you can have any user for an event trigger as long as the user is a superuser. > applications in which the application user (which were used for app to > app login) was having these privileges, similar to "create table" > privileges which comes by default to the schema who owns the objects > etc. So in this case i was wondering if "event trigger" can cause any > additional threat and thus there is no such privilege like "create > trigger" exist in postgres and so it should be treated cautiously? An event trigger runs as a superuser and executes a function that in turn can do many things, you do the math on the threat level. -- Adrian Klaver adrian.klaver@aklaver.com