| From: | ljb <lbayuk(at)mindspring(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Permissions with multiple groups... |
| Date: | 2002-09-22 01:24:28 |
| Message-ID: | amj64b$1h9k$1@news.hub.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
tgl(at)sss(dot)pgh(dot)pa(dot)us wrote:
> ljb <lbayuk(at)mindspring(dot)com> writes:
>> The point is that before 7.2, a user-specific GRANT could reduce your
>> rights.
>
> I don't believe a word of this ... AFAIR, it's always been a
> union-of-rights approach. If it was ever different, the change
> was certainly well before 7.1.
Here is the relevant code difference for aclcheck() in 7.1.3 vs 7.2.1.
Look at the difference in return when the user ID matches.
Check it yourself if you still don't believe me.
--- postgresql-7.1.3/src/backend/catalog/aclchk.c 2001-03-21 22:59:18.000000000 -0500
+++ postgresql-7.2.1/src/backend/catalog/aclchk.c 2001-11-05 12:46:24.000000000 -0500
...
case ACL_IDTYPE_UID:
- /* Look for exact match to user */
+ /* See if permission is granted directly to user */
for (i = 1, aip = aidat + 1; /* skip world entry */
i < num && aip->ai_idtype == ACL_IDTYPE_UID;
++i, ++aip)
{
if (aip->ai_id == id)
{
-#ifdef ACLDEBUG_TRACE
+#ifdef ACLDEBUG
elog(DEBUG, "aclcheck: found user %u/%d",
aip->ai_id, aip->ai_mode);
#endif
- return (aip->ai_mode & mode) ? ACLCHECK_OK : ACLCHECK_NO_PRIV;
+ if (aip->ai_mode & mode)
+ return ACLCHECK_OK;
}
}
| From | Date | Subject | |
|---|---|---|---|
| Next Message | kbase | 2002-09-22 02:51:08 | Re: User Defined Functions |
| Previous Message | Greg Stark | 2002-09-21 23:54:41 | Re: IN vs EXIIST |