| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Noah Misch <noah(at)leadboat(dot)com> |
| Cc: | Josh Berkus <josh(at)agliodbs(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: ALTER DEFAULT PRIVILEGES FOR ROLE is broken |
| Date: | 2013-04-29 23:40:10 |
| Message-ID: | 15314.1367278810@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Noah Misch <noah(at)leadboat(dot)com> writes:
> The particular restriction at hand, namely that a role have CREATE rights on a
> schema before assigning role-specific default privileges, seems like needless
> paternalism. It would be akin to forbidding ALTER ROLE ... PASSWORD on a
> NOLOGIN role. I'd support removing it when such a proposal arrives.
Hm. I defended that restriction earlier, but it now occurs to me to
wonder if it doesn't create a dump/reload sequencing hazard. I don't
recall that pg_dump is aware of any particular constraints on the order
in which it dumps privilege-grant commands. If it gets this right,
that's mostly luck, I suspect.
> If
> anything, require that the user executing the ALTER DEFAULT PRIVILEGES, not
> the subject of the command, has CREATE rights on the schema.
That would be just as dangerous from this angle.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Noah Misch | 2013-04-29 23:46:34 | Re: The missing pg_get_*def functions |
| Previous Message | Noah Misch | 2013-04-29 22:54:49 | Re: ALTER DEFAULT PRIVILEGES FOR ROLE is broken |