| From: | Sean Chittenden <sean(at)chittenden(dot)org> |
|---|---|
| To: | Hubert depesz Lubaczewski <depesz(at)depesz(dot)pl> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: dropping user doesn't erase his rights. |
| Date: | 2003-01-10 22:47:23 |
| Message-ID: | 20030110224723.GA24994@perrin.int.nxad.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
> > Difficult to do, when those privileges might be recorded in
> > databases you're not even connected to at the time of the drop.
>
> I belive it would be pretty difficult, but leaving it "just like
> that" creates ssecurity breach (imagine someone droping user,
> beliving that everytinh is o.k.), than someone else creates
> different user but with keeping unused sysid (this might be the case
> with system users and keeping system user-id with database user-id
> the same) - which happens to be "not unused". i'm not sure if i'm
> clear about it.
Wouldn't an ON DELETE trigger on the system catalogs work? I'd think
it would be possible to select the tables and groups that a user had
privs to and iterate through each calling REVOKE. -sc
--
Sean Chittenden
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Hentosh | 2003-01-11 12:28:12 | Re: PostgreSQL |
| Previous Message | Josh Berkus | 2003-01-10 22:30:35 | Re: PPTP + Cisco - is it possible for RADIUS server to |