Re: Please advice TODO Item pg_hba.conf

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Alvaro Herrera <alvherre(at)commandprompt(dot)com>
Cc: Gevik Babakhani <pgdev(at)xs4all(dot)nl>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Please advice TODO Item pg_hba.conf
Date: 2006-04-23 23:18:29
Message-ID: 18785.1145834309@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
> Gevik Babakhani wrote:
>> Of course a TABLE owner can revoke privileges from himself. But why
>> would a DATABASE owner want to lock himself out from CONNECTING to his
>> database.

> I don't know :-) If it doesn't make sense for somebody, then she won't
> do it.

> It's not like we are going out of our way to allow somebody to revoke
> the privileges from oneself. We are just keeping the thing as simple as
> possible.

There is a good, defensible reason for this: the behavior of
security-related commands should be as simple and unsurprising as
possible. Weird special cases added in the name of improving usability
are likely to do the opposite. What would you expect
REVOKE CONNECT ON DATABASE foo FROM foo_owner
to do, if not revoke his connect privileges? Failing to do so could
be called a security vulnerability.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2006-04-23 23:22:39 Can't commit due to perl upgrade
Previous Message Tom Lane 2006-04-23 23:14:29 Re: Please advice TODO Item pg_hba.conf