Skip site navigation (1) Skip section navigation (2)

Re: Schema security

From: "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
To: Paul Lambert <paul(dot)lambert(at)reynolds(dot)com(dot)au>
Cc: pgsql admin <pgsql-admin(at)postgresql(dot)org>
Subject: Re: Schema security
Date: 2007-12-13 18:49:22
Message-ID: 20071213104922.0503cb8f@commandprompt.com (view raw or flat)
Thread:
Lists: pgsql-admin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 13 Dec 2007 14:55:53 +0900
Paul Lambert <paul(dot)lambert(at)reynolds(dot)com(dot)au> wrote:
> > The analogy to think about is that usage privilege on a schema is
> > comparable to read access on a directory.  That doesn't necessarily
> > give you access to any single file in the directory --- but lack of
> > it does ensure you cannot get to those files.
> > 
> > 			regards, tom lane

> Point taken and yes, I would agree that default behavior should be to 
> not give priviledges to anything other than the explicitly defined 
> object - but would it not be a good idea to provide some sort of 
> cascade/recurse option to granting/revoking privileges so that doing
> so on a container object results in the priviledges being propogated
> down the line for the cases where such is desired?

Yes and it has been oft requested. However :), nobody has coded a patch
or submitted a proposal on how it would be done in a maintainable
manner.

> 
> Taking your example of file permissions - although it is not default 
> behavior, it is possible to recursively apply a priviledge change to
> a directory onto files/subdirectories within it. Certainly it can be
> done on OpenVMS and Windows that I work with primarily and I'm 99%
> sure it can be done on *ix systems too.

Yes *ix can do it to.

Sincerely,

Joshua D. Drake 


- -- 
The PostgreSQL Company: Since 1997, http://www.commandprompt.com/ 
Sales/Support: +1.503.667.4564   24x7/Emergency: +1.800.492.2240
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
SELECT 'Training', 'Consulting' FROM vendor WHERE name = 'CMD'


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHYX60ATb/zqfZUUQRAkK1AKCY8i5bHTUChaUp2LcovnSdgrwq+wCdHlCW
TdBpE7HUUVyr2OmzSnNQUKw=
=Ci4R
-----END PGP SIGNATURE-----

In response to

pgsql-admin by date

Next:From: Tena SakaiDate: 2007-12-13 19:33:56
Subject: reading pg_stat_activity view
Previous:From: Ivo RossacherDate: 2007-12-13 18:32:39
Subject: Re: odbc problem on Japanese windows machine

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group