-
Notifications
You must be signed in to change notification settings - Fork 167
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add security definer and search_path to event trigger functions.
Similar to #156, this prevents users from defining their own versions of functions used in the event triggers. Either one should be sufficient on its own, but both provides better defense against regressions.
- Loading branch information
Showing
4 changed files
with
38 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| -- complain if script is sourced in psql, rather than via CREATE EXTENSION | ||
| \echo Use "CREATE EXTENSION pgaudit" to load this file.\quit | ||
|
|
||
| -- Drop old triggers and functions | ||
| drop event trigger if exists pgaudit_ddl_command_end; | ||
| drop function if exists pgaudit_ddl_command_end(); | ||
|
|
||
| drop event trigger if exists pgaudit_sql_drop; | ||
| drop function if exists pgaudit_sql_drop(); | ||
|
|
||
| -- Create triggers and functions with security definer and search_path | ||
| CREATE FUNCTION pgaudit_ddl_command_end() | ||
| RETURNS event_trigger | ||
| SECURITY DEFINER | ||
| SET search_path = 'pg_catalog, pg_temp' | ||
| LANGUAGE C | ||
| AS 'MODULE_PATHNAME', 'pgaudit_ddl_command_end'; | ||
|
|
||
| CREATE EVENT TRIGGER pgaudit_ddl_command_end | ||
| ON ddl_command_end | ||
| EXECUTE PROCEDURE pgaudit_ddl_command_end(); | ||
|
|
||
| CREATE FUNCTION pgaudit_sql_drop() | ||
| RETURNS event_trigger | ||
| SECURITY DEFINER | ||
| SET search_path = 'pg_catalog, pg_temp' | ||
| LANGUAGE C | ||
| AS 'MODULE_PATHNAME', 'pgaudit_sql_drop'; | ||
|
|
||
| CREATE EVENT TRIGGER pgaudit_sql_drop | ||
| ON sql_drop | ||
| EXECUTE PROCEDURE pgaudit_sql_drop(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| # pgaudit extension | ||
| comment = 'provides auditing functionality' | ||
| default_version = '1.5' | ||
| default_version = '1.5.1' | ||
| module_pathname = '$libdir/pgaudit' | ||
| relocatable = true |