Re: "with grant option" for user groups.

Theoretically same kind of problem should arise even if the privilege is
granted to a user also.
To be specific I would like know the answers for the following Q's

Scenario 1:
===========
User A grants privilege to group B with grant option.
User C who is in group B grants privilege to user D

If super user removes the user C from the group, then who is the grantee for
the user D? And who can revoke revoke the privileges from user D?

Scenario 2:
===========
User A grants privilege to group 'B' and 'Z' with grant option.
User C who is in group 'B' and 'Z' grants privilege to user D.

If user C removed from the group 'B' then who will be the grantee for user
'D'? And who can revoke revoke the privileges from user D?

If user C is removed from both the groups then who will be the grantee for
the user? And who can revoke revoke the privileges from user D?

Thanks & Regards,
Ramu

-----Original Message-----
From: Peter Eisentraut [mailto:peter_e(at)gmx(dot)net]
Sent: Friday, January 09, 2004 8:11 PM
To: Potuganti Ramu; pgsql-hackers(at)postgresql(dot)org
Subject: Re: [HACKERS] "with grant option" for user groups.

> Following statement says that "with grant option" is not allowed to a user
> group. I would like to know what the reasons behind not implementing
> this kind of feature.

Consider the following sequence of steps:

in database 1:
user A grants privilege to group B with grant option
user C who is in group B grants privilege to user D

in database 2:
superuser removes user C from group B

--> user D still has the privilege, because superuser doesn't have access to

database 1 from his session

If you can live with this problem, then you can remove the check from the
source code and it should work.