Re: [PATCH] DefaultACLs

From: Petr Jelinek <pjmodos(at)pjmodos(dot)net>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jan Urbański <wulczer(at)wulczer(dot)org>, Josh Berkus <josh(at)agliodbs(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [PATCH] DefaultACLs
Date: 2009-09-29 07:56:20
Message-ID: 4AC1BDA4.2070004@pjmodos.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Stephen Frost napsal(a):
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
>
>>> One potential trouble spot is that presumably the built-in default
>>> privileges (eg, PUBLIC EXECUTE for functions) would *not* cumulate
>>> with user-specified defaults.
>>>
>> Why not?
>>
>
> How would you have a default that says "I *don't* want public execute on
> my new functions"?
>

This is actually problem that applies to whole Robert's proposal. How
would you define you don\t want insert on new tables in schema when you
granted it for whole database. I don't think any kind of mixing of
different default privileges is a good idea. I was thinking about
rejecting creation of conflicting default privileges but that would be
impossible to detect before object creation which is too late.

--
Regards
Petr Jelinek (PJMODOS)

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Dave Page 2009-09-29 07:57:35 Re: pg_hba.conf: samehost and samenet [REVIEW]
Previous Message Petr Jelinek 2009-09-29 07:42:58 Re: [PATCH] DefaultACLs