Require the issuer of CREATE TYPE to own the functions mentioned in the

type definition.  Because use of a type's I/O conversion functions isn't
access-checked, CREATE TYPE amounts to granting public execute permissions
on the functions, and so allowing it to anybody means that someone could
theoretically gain access to a function he's not supposed to be able to
execute.  The parameter-type restrictions already enforced by CREATE TYPE
make it fairly unlikely that this oversight is meaningful in practice,
but still it seems like a good idea to plug the hole going forward.
Also, document the implicit grant just in case anybody gets the idea of
building I/O functions that might need security restrictions.

doc/src/sgml/ref/create_type.sgml

@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/create_type.sgml,v 1.59 2005/11/01 21:09:50 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/create_type.sgml,v 1.60 2006/01/13 18:06:45 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -446,6 +446,17 @@ CREATE TYPE <replaceable class="parameter">name</replaceable> (
    internally-created array type names.
   </para>
 
+  <para>
+   Because there are no restrictions on use of a data type once it's been
+   created, creating a base type is tantamount to granting public execute
+   permission on the functions mentioned in the type definition.  (The creator
+   of the type is therefore required to own these functions.)  This is usually
+   not an issue for the sorts of functions that are useful in a type
+   definition.  But you might want to think twice before designing a type
+   in a way that would require <quote>secret</> information to be used
+   while converting it to or from external form.
+  </para>
+
   <para>
    In <productname>PostgreSQL</productname> versions before 7.3, it
    was customary to avoid creating a shell type by replacing the