| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: Bug introduced by recent ALTER OWNER permissions check change |
| Date: | 2005-08-04 03:18:19 |
| Message-ID: | 11564.1123125499@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> I don't like this approach to solving the problem. I would rather see
> the check modified to allow the ownership change provided:
> the user issueing the command has access to destination role
> AND
> (
> the destination role can create the table
> OR the user issuing the command has owner rights on the schema/db
> )
> etc
I don't think so --- this would allow unprivileged users to use ALTER
OWNER to arrive at states they could not arrive at otherwise; which
destroys the entire argument that non-superuser ALTER OWNER is not a
security risk. Shall we reverse out the patch and require you to
justify it from scratch?
Superusers should be allowed to do whatever they want, but that doesn't
mean that we should weaken the rules applied to ordinary users.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2005-08-04 06:35:46 | Re: Fundamental error in "no WAL log" index/file |
| Previous Message | Stephen Frost | 2005-08-04 03:07:20 | Re: Bug introduced by recent ALTER OWNER permissions check change |