| From: | jwieck(at)debis(dot)com (Jan Wieck) |
|---|---|
| To: | scrappy(at)hub(dot)org (The Hermit Hacker) |
| Cc: | pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: [HACKERS] pg_user "sealed" |
| Date: | 1998-02-23 20:01:31 |
| Message-ID: | m0y744C-000BFRC@orion.SAPserv.Hamburg.dsh.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Marc wrote:
>
>
> Okay...
>
> I've modified initdb.sh so that ALL is revoked from pg_user, with
> a view being created to look into it for usename and usesysid, which are
> required by psql...
>
> This gets it so that psql works for \d
>
> I tried to do a rewrite rule on db_user such that password would
> become '*********', but that does't appear to work?
>
> Reports of any problems associated with any of the pg_ system
> tables, please let me know
Since you changed ACL_WORLD_DEFAULT to ACL_NO too, there are
now problems on \d <table> (pg_attribute: Permission denied).
And thus I expect more problems. I think users should have
SELECT permission on non-critical system catalogs by default.
But I don't think that setting explicit GRANT's on all the
system catalogs is a good thing. Due to the ACL parsing I
would expect some loss of performance.
So if the relname is given to acldefault() in
utils/adt/acl.c, it can do a IsSystemRelationName() on it and
return ACL_RD instead of ACL_WORLD_DEFAULT.
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#======================================== jwieck(at)debis(dot)com (Jan Wieck) #
| From | Date | Subject | |
|---|---|---|---|
| Next Message | The Hermit Hacker | 1998-02-23 20:02:41 | Re: [HACKERS] Views on aggregates - need assistence |
| Previous Message | The Hermit Hacker | 1998-02-23 20:01:12 | Re: [HACKERS] pg_user "sealed" |