On Wed, Jan 31, 2001 at 03:39:46PM -0700, some SMTP stream spewed forth:
> : El Mié 31 Ene 2001 18:32, Dan Wilson escribió:
> : > You can do this in phpPgAdmin... it's a hack because it just pulls in
> : > the objects/relations and runs a single grant statement on them, but it
> : > works. It puts together a query like the following:
> : >
> : > GRANT ALL ON table1, table2, table3, view1, view2, sequence1, sequence2
> : > user
> : >
> : > Which I suppose you can do manually if you don't have phpPgAdmin
> : >
> : > It ain't the prettiest, but it works!
> : The problem is that this is not what I'm looking for. I want the user to
> : able to create new tables, views, sequences, etc on that database.
> Oh, if you want to do that, then you don't have to do any granting of
> priviledges. It seems that Postgres allows any user to create a table on a
Er, to delete anything, the user would need to be a superuser.
Else, nyet, not necessary.
> database. Even if the user is not the owner of the database. AFAIK, there
> are no acl's associated with the database.
For the heck of it, I will certify that this is correct.
> I've posed this question before and have not received any response, but is
> this an undocumented feature or a sercurity bug? Personally, I don't think
> anyone should be able to create relations on a database they do not own.
It is both, depending on how you use it. ;-)
I would and do consider it a blindingly silly security risk, but
apparently nobody else does. I asked before, but...
Just why the hell would somebody want *any* user of *any* database to be
able to *create* anything under *any* other database?!?
In response to
pgsql-hackers by date
|Next:||From: Mike Miller||Date: 2001-02-01 00:23:10|
|Subject: Re: Re: grant privileges to a database [URGENT]|
|Previous:||From: Steve Shaffer||Date: 2001-01-31 22:58:06|
|Subject: ODBC Problem v7.1 beta4|
pgsql-general by date
|Next:||From: Geoff Russell||Date: 2001-02-01 00:01:31|
|Subject: Re: Grant privileges to database|
|Previous:||From: GH||Date: 2001-01-31 23:38:08|
|Subject: Re: Re: php as stored procedures|