Re: BUG #1150: grant options not properly checked

From: Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-bugs(at)postgresql(dot)org, Peter Eisentraut <peter_e(at)gmx(dot)net>
Subject: Re: BUG #1150: grant options not properly checked
Date: 2004-05-11 15:51:10
Message-ID: Pine.LNX.4.58.0405111658360.21629@sablons.cri.ensmp.fr
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs


Dear Tom,

> ...
> Note that says WARNING, not ERROR. So I guess what we need to do is
> narrow the privilege set and issue a warning message.

Yep.

> I think this also bears on the question that was raised before about
> whether REVOKE should raise an error if you don't have the right to
> revoke the privileges you're listing. We don't, and based on this
> I think we shouldn't --- but maybe we should issue a warning.

There are two close but different issues.

(1) REVOKE ALL ON SCHEMA foo FROM calvin;

I agree with you that it looks it is allowed, as narrow would mean empty.
I really think a warning is desirable in such a case...

(2) REVOKE USAGE ON SCHEMA foo FROM calvin;

Where USAGE (or any specific right) is not grantable by the issuer.

While browsing the Access Rules of <revoke statement>... it is unclear.
I guess maybe a "grantable" word is missing in my version of the standard,
because otherwise I cannot really extract a semantics from access rule 1
case a in 12.7. Case b is much more explicit in my version for <revoke
role statement>, you need a "WITH ADMIN OPTION".

If my guess is correct and that an access rule is violated, then this
case should result in an error.

--
Fabien Coelho - coelho(at)cri(dot)ensmp(dot)fr

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2004-05-11 15:57:46 Re: BUG #1150: grant options not properly checked
Previous Message Laurent FAILLIE 2004-05-11 15:23:58 Re: BUG #1151: Initdb fails ...