From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Bruno Wolff III <bruno(at)wolff(dot)to>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [PATCHES] Users/Groups -> Roles |
Date: | 2005-06-28 20:05:16 |
Message-ID: | 20050628200516.GP24207@ns.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-patches |
* Bruno Wolff III (bruno(at)wolff(dot)to) wrote:
> On Tue, Jun 28, 2005 at 14:45:06 -0400,
> Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> >
> > If you are the owner of the object to be changed (following the normal
> > owner checking rules) AND would still be considered the owner of the
> > object *after* the change, then you can change the ownership.
>
> That still isn't a good idea, because the new owner may not have had
> access to create the object you just gave to them. Or you may not have
> had access to drop the object you just gave away. That is going to
> be a security hole.
If you're considered the owner of an object then you have access to drop
it already. You have to be a member of the role to which you're
changing the ownership. That role not having permission to create the
object in place is an interesting question. That's an issue for SET
ROLE too, to some extent I think, do you still have your role's
permissions after you've SET ROLE to another role? If not then you'd
have to grant CREATE on the schema to the role in order to create
objects owned by that role, and I don't think that's necessairly
something you'd want to do.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paesold | 2005-06-28 20:08:07 | Re: [PATCHES] Users/Groups -> Roles |
Previous Message | Bruno Wolff III | 2005-06-28 20:01:42 | Re: [PATCHES] Users/Groups -> Roles |
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paesold | 2005-06-28 20:08:07 | Re: [PATCHES] Users/Groups -> Roles |
Previous Message | Bruno Wolff III | 2005-06-28 20:01:42 | Re: [PATCHES] Users/Groups -> Roles |