Re: Permissions with multiple groups...

From: ljb <lbayuk(at)mindspring(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Permissions with multiple groups...
Date: 2002-09-22 01:24:28
Message-ID: amj64b$1h9k$1@news.hub.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

tgl(at)sss(dot)pgh(dot)pa(dot)us wrote:
> ljb <lbayuk(at)mindspring(dot)com> writes:
>> The point is that before 7.2, a user-specific GRANT could reduce your
>> rights.
>
> I don't believe a word of this ... AFAIR, it's always been a
> union-of-rights approach. If it was ever different, the change
> was certainly well before 7.1.

Here is the relevant code difference for aclcheck() in 7.1.3 vs 7.2.1.
Look at the difference in return when the user ID matches.
Check it yourself if you still don't believe me.

--- postgresql-7.1.3/src/backend/catalog/aclchk.c 2001-03-21 22:59:18.000000000 -0500
+++ postgresql-7.2.1/src/backend/catalog/aclchk.c 2001-11-05 12:46:24.000000000 -0500

...

case ACL_IDTYPE_UID:
- /* Look for exact match to user */
+ /* See if permission is granted directly to user */
for (i = 1, aip = aidat + 1; /* skip world entry */
i < num && aip->ai_idtype == ACL_IDTYPE_UID;
++i, ++aip)
{
if (aip->ai_id == id)
{
-#ifdef ACLDEBUG_TRACE
+#ifdef ACLDEBUG
elog(DEBUG, "aclcheck: found user %u/%d",
aip->ai_id, aip->ai_mode);
#endif
- return (aip->ai_mode & mode) ? ACLCHECK_OK : ACLCHECK_NO_PRIV;
+ if (aip->ai_mode & mode)
+ return ACLCHECK_OK;
}
}

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message kbase 2002-09-22 02:51:08 Re: User Defined Functions
Previous Message Greg Stark 2002-09-21 23:54:41 Re: IN vs EXIIST