Skip site navigation (1) Skip section navigation (2)

Re: BUG #1150: grant options not properly checked

From: Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-bugs(at)postgresql(dot)org, Peter Eisentraut <peter_e(at)gmx(dot)net>
Subject: Re: BUG #1150: grant options not properly checked
Date: 2004-05-11 15:51:10
Message-ID: Pine.LNX.4.58.0405111658360.21629@sablons.cri.ensmp.fr (view raw or flat)
Thread:
Lists: pgsql-bugs
Dear Tom,

> ...
> Note that says WARNING, not ERROR.  So I guess what we need to do is
> narrow the privilege set and issue a warning message.

Yep.

> I think this also bears on the question that was raised before about
> whether REVOKE should raise an error if you don't have the right to
> revoke the privileges you're listing.  We don't, and based on this
> I think we shouldn't --- but maybe we should issue a warning.

There are two close but different issues.

(1) REVOKE ALL ON SCHEMA foo FROM calvin;

I agree with you that it looks it is allowed, as narrow would mean empty.
I really think a warning is desirable in such a case...


(2) REVOKE USAGE ON SCHEMA foo FROM calvin;

Where USAGE (or any specific right) is not grantable by the issuer.

While browsing the Access Rules of <revoke statement>... it is unclear.
I guess maybe a "grantable" word is missing in my version of the standard,
because otherwise I cannot really extract a semantics from access rule 1
case a in 12.7. Case b is much more explicit in my version for <revoke
role statement>, you need a "WITH ADMIN OPTION".

If my guess is correct and that an access rule is violated, then this
case should result in an error.


-- 
Fabien Coelho - coelho(at)cri(dot)ensmp(dot)fr

In response to

Responses

pgsql-bugs by date

Next:From: Tom LaneDate: 2004-05-11 15:57:46
Subject: Re: BUG #1150: grant options not properly checked
Previous:From: Laurent FAILLIEDate: 2004-05-11 15:23:58
Subject: Re: BUG #1151: Initdb fails ...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group