From: | The Hermit Hacker <scrappy(at)hub(dot)org> |
---|---|
To: | Jan Wieck <jwieck(at)debis(dot)com> |
Cc: | pgsql-hackers(at)postgreSQL(dot)org |
Subject: | Re: [HACKERS] pg_user "sealed" |
Date: | 1998-02-23 20:01:12 |
Message-ID: | Pine.NEB.3.95.980223145824.17896Y-100000@hub.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, 23 Feb 1998, Jan Wieck wrote:
>
> Marc wrote:
> >
> >
> > Okay...
> >
> > I've modified initdb.sh so that ALL is revoked from pg_user, with
> > a view being created to look into it for usename and usesysid, which are
> > required by psql...
> >
> > This gets it so that psql works for \d
> >
> > I tried to do a rewrite rule on db_user such that password would
> > become '*********', but that does't appear to work?
> >
> > Reports of any problems associated with any of the pg_ system
> > tables, please let me know
>
> Since you changed ACL_WORLD_DEFAULT to ACL_NO too, there are
> now problems on \d <table> (pg_attribute: Permission denied).
> And thus I expect more problems. I think users should have
> SELECT permission on non-critical system catalogs by default.
Okay, I've just been adding in appropriate 'GRANT SELECT's inside
of initdb.sh, for lack of a better idea...
> But I don't think that setting explicit GRANT's on all the
> system catalogs is a good thing. Due to the ACL parsing I
> would expect some loss of performance.
>
> So if the relname is given to acldefault() in
> utils/adt/acl.c, it can do a IsSystemRelationName() on it and
> return ACL_RD instead of ACL_WORLD_DEFAULT.
...which this definitely sound like :) Want to make the change
and send me a patch?
From | Date | Subject | |
---|---|---|---|
Next Message | Jan Wieck | 1998-02-23 20:01:31 | Re: [HACKERS] pg_user "sealed" |
Previous Message | Bruce Momjian | 1998-02-23 19:46:10 | Re: [HACKERS] Views on aggregates - need assistence |