Skip site navigation (1) Skip section navigation (2)

Re: Must be table owner to truncate?

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Ragnar <gnari(at)hive(dot)is>
Cc: Kevin Hunter <hunteke(at)earlham(dot)edu>,Postgres General List <pgsql-general(at)postgresql(dot)org>
Subject: Re: Must be table owner to truncate?
Date: 2008-07-30 14:46:02
Message-ID: 20080730144602.GQ16005@tamriel.snowman.net (view raw or flat)
Thread:
Lists: pgsql-general
* Ragnar (gnari(at)hive(dot)is) wrote:
> 
> On miĆ°, 2008-07-30 at 07:36 -0400, Kevin Hunter wrote:
> > At 3:45p -0400 on Mon, 28 Jul 2008, Said Ramirez wrote:
> > > According to the documentation,
> > > http://www.postgresql.org/docs/current/interactive/sql-truncate.html ,
> > > only the owner can truncate a table. Which means the non-owner must
> > > either log in/ switch roles as the owner, or they can just run a DELETE.
> > 
> > Well that's interesting.  From a security standpoint, what's the
> > difference between an unqualified DELETE and a TRUNCATE?
> 
> lack of triggers and RULEs spring to mind.

It also takes a bigger lock on the table than DELETE, which may or may
not be considered a security issue.  triggers really are the big issue
wrt security and why it deserves to be a seperatelly grantable
permission from delete.

	Thanks,

		Stephen

In response to

pgsql-general by date

Next:From: Alvaro HerreraDate: 2008-07-30 14:51:44
Subject: Re: Connecting to an existing transaction state.
Previous:From: Francisco ReyesDate: 2008-07-30 14:23:12
Subject: Re: Connecting to an existing transaction state.

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group