Skip site navigation (1) Skip section navigation (2)

Re: pre-proposal: permissions made easier

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Josh Berkus <josh(at)agliodbs(dot)com>
Cc: Jeff Davis <pgsql(at)j-davis(dot)com>, David Fetter <david(at)fetter(dot)org>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: pre-proposal: permissions made easier
Date: 2009-06-29 18:53:07
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Josh Berkus <josh(at)agliodbs(dot)com> writes:
> The second, and bigger problem I can see is that this opens a whole new 
> set of security holes by allowing an end-run around the existing access 
> control structure with attackers can try to exploit.

Yeah.  I'm very concerned about any scheme that invents additional
sources of permissions that aren't visible in the object's own ACL list.
Even if it's secure in its own terms, it'll blindside people and
programs who are used to the existing ways of doing things.

From what I recall of prior discussions, there is rough consensus that
the two types of facilities you mentioned (setting up default ACLs to be
applied at creation of objects created later, and providing a way to
change multiple objects' permissions with one GRANT) are desirable,
though there is plenty of argument about the details.  Neither of these
result in creating any new sources of permissions --- a given object's
ACL is still the whole truth.

			regards, tom lane

In response to


pgsql-hackers by date

Next:From: Peter HunsbergerDate: 2009-06-29 18:55:31
Subject: Re: Query progress indication - an implementation
Previous:From: Bernd HelmleDate: 2009-06-29 18:52:52
Subject: Re: [PATCH] [v8.5] Security checks on largeobjects

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group