Able to do ALTER DEFAULT PRIVILEGES from a user who is not the owner

From: rajan <vgmonnet(at)gmail(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Able to do ALTER DEFAULT PRIVILEGES from a user who is not the owner
Date: 2019-02-02 12:27:50
Message-ID: 1549110470466-0.post@n3.nabble.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Please help to understand the following. Where the User(who is not the owner
of a table) is able to ALTER DEFAULT PRIVILEGES and GRANT SELECT rights for
all tables???? Is providing USAGE on schema is enough to do that? How is
this secure?

learning=> select current_user;
current_user
--------------
student
(1 row)

learning=> \dn
List of schemas
Name | Owner
-------------+----------
academics | head
board_exams | head
public | postgres
(3 rows)

learning=> set role head;
SET
learning=> CREATE SCHEMA additional;
CREATE SCHEMA
learning=>
learning=> \dn
List of schemas
Name | Owner
-------------+----------
academics | head
* additional | head* Schema's owner is the user head
board_exams | head
public | postgres
(4 rows)
learning=> CREATE TABLE additional.chess(id serial not null, marks varchar);
CREATE TABLE
learning=> GRANT USAGE ON SCHEMA additional TO student;
GRANT
learning=> set role student;
SET
learning=> \z additional.chess
Access privileges
Schema | Name | Type | Access privileges | Column privileges |
Policies
------------+-------+-------+-------------------+-------------------+----------
* additional | chess | table | | |* --
USER student has no privilege on the table
(1 row)
learning=> SELECT current_user;
current_user
--------------
student
(1 row)

--with the student user have no privilege how ALTER DEFAULT PRIVILEGES
works????
*learning=> ALTER DEFAULT PRIVILEGES IN SCHEMA additional GRANT INSERT ON
TABLES TO student;
ALTER DEFAULT PRIVILEGES
learning=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
---------+-------------+-------+--------------------
student | academics | table | student=aD/student
student | additional | table | student=a/student
student | board_exams | table | student=r/student
(3 rows)*

learning=> GRANT INSERT ON TABLES TO student;
ERROR: relation "tables" does not exist
learning=> GRANT INSERT ON TABLE additional.chess TO student;
ERROR: permission denied for relation chess
learning=>

-----
--
Thanks,
Rajan.
--
Sent from: http://www.postgresql-archive.org/PostgreSQL-hackers-f1928748.html

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2019-02-02 12:29:46 Re: fast defaults in heap_getattr vs heap_deform_tuple
Previous Message Amit Kapila 2019-02-02 12:03:13 Re: WIP: Avoid creation of the free space map for small tables