Re: DROP OWNED BY fails to drop privileges granted by non-owners (was Re: [GENERAL] Bug, Feature, or what else?)

From: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>, Andreas Kretschmer <andreas(at)a-kretschmer(dot)de>, pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: DROP OWNED BY fails to drop privileges granted by non-owners (was Re: [GENERAL] Bug, Feature, or what else?)
Date: 2013-03-25 16:52:44
Message-ID: 20130325165244.GE3699@alvh.no-ip.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

Tom Lane escribió:

> It looks to me like DropOwnedObjects doesn't actually insist on
> superuserness to do DROP OWNED, only ability to become the role,
> which means that DROP OWNED BY is completely broken for privileges
> if executed by a non-superuser; the only privileges it would remove
> would be those granted by the current user to the target user.

Well, moreover it fails completely with "permission denied" when tried,
so yeah it is broken today. Now, I don't necessarily think we should
remove the capability completely, as it seems useful. Consider a
database where the superuser has created various department roles; admin
privileges are given to certain users (bosses?) for each of such
department roles. Such admins can add and remove other users from their
roles at will, via grant and revoke; it seems useful to be able to
remove all privileges from a certain user without going through objects
one by one. Example:

create user alice;
create user bob;

create role arts;

create role arts_boss;
grant arts to arts_boss with admin option;
grant arts_boss to bob;

create schema s_arts authorization arts_boss;
revoke create on schema s_arts from public;

\c - bob
set role arts_boss;
grant arts to alice;
create table s_arts.animations (id int, description text);
grant all on s_arts.animations to arts;
grant update on s_arts.animations to alice;

Here, Bob can GRANT and REVOKE specific things to Alice; but it doesn't
work for Bob to "DROP OWNED BY alice" (fails with "permission denied to
drop objects"), when in fact it does make sense that it would revoke
those privileges -- but not those that alice might have gotten via a
different chain of command, say on role "building" on which Charlie is
admin.

Alternatively we might say this is just gilding the lily and we should
disallow this whole thing and restrict DROP OWNED. Two further
possibilities here:

a) only a superuser can run it, period.
b) any user can run it on itself, and this revokes all privileges
granted to this role, regardless of where they come from.

(In any case I think we should disallow alice from doing "DROP OWNED by
arts".)

As a final comment, I am inclined to go the simplest route possible,
first because I can't spend infinite time on this, and also because I
think messing too much with this might lead to strange security issues.

--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Emanuel Araújo 2013-03-25 16:57:48 Acess Oracle with dbi-link (PostgreSQL) Error Compile
Previous Message Merlin Moncure 2013-03-25 16:04:37 Re: PostgreSQL and VIEWS

Browse pgsql-hackers by date

  From Date Subject
Next Message Atri Sharma 2013-03-25 17:06:20 Re: Limiting setting of hint bits by read-only queries; vacuum_delay
Previous Message Vibhor Kumar 2013-03-25 16:01:39 Re: pg_dump selectively ignores extension configuration tables