| From: | Derrick Rice <derrick(dot)rice(at)gmail(dot)com> |
|---|---|
| To: | Guillaume Lelarge <guillaume(at)lelarge(dot)info> |
| Cc: | pgsql-docs(at)postgresql(dot)org |
| Subject: | Re: DROP TABLE can be issued by schema owner as well as table owner |
| Date: | 2011-05-20 16:35:24 |
| Message-ID: | BANLkTimfjeEE-2EVnghk0HPynMNvMpMFmQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
On Fri, May 20, 2011 at 12:18 PM, Guillaume Lelarge
<guillaume(at)lelarge(dot)info>wrote:
> Well, for a specific object, any superuser, the database owner, the
> schema owner, and the object owner could drop the object. This is not a
> vulnerability.
>
It is not documented clearly. Any information not made clear is an
opportunity for an error which leads to a vulnerability.
It is not a vulnerability in postgresql itself. It is a vulnerability in an
ill-designed system, which can come about due to misinformation / lack of
clarity.
Putting your first sentence ("For a specific object, any superuser, the
database owner, the schema owner, and the object owner could drop the
object.") in the documentation would remove the opportunity for error.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2011-05-20 16:53:49 | Re: DROP TABLE can be issued by schema owner as well as table owner |
| Previous Message | Guillaume Lelarge | 2011-05-20 16:18:13 | Re: DROP TABLE can be issued by schema owner as well as table owner |