Re: Delete rule does not prevent truncate

On 07/23/2015 05:37 PM, Rob Sargent wrote:
> On 07/23/2015 06:27 PM, Adrian Klaver wrote:
>> On 07/23/2015 05:08 PM, Rob Sargent wrote:
>>> On 07/23/2015 04:15 PM, Karsten Hilbert wrote:
>>>> On Thu, Jul 23, 2015 at 12:28:32PM -0600, Rob Sargent wrote:
>>>>
>>>>> I'm suggesting OP might find changing truncate statements to deletes
>>>>> (without a where clause) a simpler solution. Something has to change.
>>>> Well, OP isn't looking for a solution to "delete all rows"
>>>> but rather to _prevent_ deletion.
>>>>
>>>> Tim can't go forth and tell Blackhats to "please use DELETE
>>>> rather than TRUNCATE", right ?
>>>>
>>>> AFAICT it'd be more useful to advise OP to revoke TRUNCATE
>>>> rights on tables.
>>>>
>>>> Karsten
>>> Not sure about Tim and the Blackhats (there's a band name in there
>>> somewhere) but Wouldn't OP have exact same code to fix, one way or
>>> another?
>>>
>>
>> I think the point was, the OP(Tim) might not have access to the code
>> that is trying to TRUNCATE. This could be because it is coming from
>> authorized users who are writing their own code or unauthorized
>> users(Blackhats) who are trying to sneak code in.
>>
>>
> Fair enough but both blackhats and the authorized are just as likely to
> drop the database as truncate something (intentionally or not) and
> backups stashed everywhere is the first order of business.

Well that is a different crisis and not covered by rules or triggers:)

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com