| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Ted Toth <txtoth(at)gmail(dot)com> |
| Cc: | pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: RLS 9.5rc1 configuration changes? |
| Date: | 2016-01-05 00:14:42 |
| Message-ID: | 14724.1451952882@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Ted Toth <txtoth(at)gmail(dot)com> writes:
> On Mon, Jan 4, 2016 at 4:54 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Are you perhaps testing this as a superuser? Superusers bypass RLS
>> even with FORCE ROW LEVEL SECURITY.
> Yes I was a Superuser but without 'Bypass RLS'. So there's no way to
> enforce RLS for all users/roles?
There's no such thing as a "superuser without bypassrls", or a superuser
without any other privilege either. That's the point of having superuser,
is that you can *always* defeat privilege restrictions if you have to.
I do not know if Crunchy's 9.4 mods broke that principle, but if so,
it was a bug IMO.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2016-01-05 01:40:31 | Re: Cannot upgrade from 9.3 to 9.4 using pg_upgrade |
| Previous Message | Jim Nasby | 2016-01-04 23:21:51 | Re: to_timestamp alternatives |