Problem
See the functions and event trigger owned by postgres:
select proname, proowner::regrole from pg_proc where prorettype = 'event_trigger'::regtype;
| proname |
proowner |
| event_trigger_in |
supabase_admin |
| pgrst_drop_watch |
supabase_admin |
| grant_pg_graphql_access |
supabase_admin |
| trg_mask_update |
supabase_admin |
| pgrst_ddl_watch |
supabase_admin |
| grant_pg_net_access |
postgres |
| set_graphql_placeholder |
supabase_admin |
| increment_schema_version |
supabase_admin |
| grant_pg_cron_access |
postgres |
select evtname, evtowner::regrole, evtfoid::regproc from pg_event_trigger;
| evtname |
evtowner |
evtfoid |
| issue_pg_net_access |
postgres |
grant_pg_net_access |
| issue_pg_graphql_access |
supabase_admin |
grant_pg_graphql_access |
| issue_graphql_placeholder |
supabase_admin |
set_graphql_placeholder |
| pgrst_ddl_watch |
supabase_admin |
pgrst_ddl_watch |
| pgrst_drop_watch |
supabase_admin |
pgrst_drop_watch |
| pgsodium_trg_mask_update |
supabase_admin |
pgsodium.trg_mask_update |
| graphql_watch_ddl |
supabase_admin |
graphql.increment_schema_version |
| graphql_watch_drop |
supabase_admin |
graphql.increment_schema_version |
| issue_pg_cron_access |
supabase_admin |
grant_pg_cron_access |
This means that any user can DROP those and cause services to malfunction:
drop function grant_pg_cron_access cascade;
drop function grant_pg_net_access cascade;
Both DROPs above work.
Problem
See the functions and event trigger owned by
postgres:This means that any user can DROP those and cause services to malfunction:
Both DROPs above work.