Re: OWNER TO on all objects

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: OWNER TO on all objects
Date: 2004-06-16 15:59:58
Message-ID: 22717.1087401598@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> writes:
>> No, you don't. That allows non-superusers to give away object
>> ownership, which is well-established as a security hole; Unix
>> filesystems stopped doing it years ago.

> I worded that badly. I meant "allow a user to change the owner of
> something to what it already is". ie. Just make the no-op allowed by
> everyone. session_auth already does this.

Ah. Okay, no objection to that. (In fact I believe we put in the
special case for session_auth for exactly the same reason.)

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2004-06-16 16:00:36 PlPerlNG - first alpha code
Previous Message Christopher Kings-Lynne 2004-06-16 15:47:22 Re: OWNER TO on all objects