| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
| Cc: | Gevik Babakhani <pgdev(at)xs4all(dot)nl>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Please advice TODO Item pg_hba.conf |
| Date: | 2006-04-23 23:18:29 |
| Message-ID: | 18785.1145834309@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
> Gevik Babakhani wrote:
>> Of course a TABLE owner can revoke privileges from himself. But why
>> would a DATABASE owner want to lock himself out from CONNECTING to his
>> database.
> I don't know :-) If it doesn't make sense for somebody, then she won't
> do it.
> It's not like we are going out of our way to allow somebody to revoke
> the privileges from oneself. We are just keeping the thing as simple as
> possible.
There is a good, defensible reason for this: the behavior of
security-related commands should be as simple and unsurprising as
possible. Weird special cases added in the name of improving usability
are likely to do the opposite. What would you expect
REVOKE CONNECT ON DATABASE foo FROM foo_owner
to do, if not revoke his connect privileges? Failing to do so could
be called a security vulnerability.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2006-04-23 23:22:39 | Can't commit due to perl upgrade |
| Previous Message | Tom Lane | 2006-04-23 23:14:29 | Re: Please advice TODO Item pg_hba.conf |