| From: | Bruce Momjian <maillist(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | vadim(at)sable(dot)krasnoyarsk(dot)su (Vadim B(dot) Mikheev) |
| Cc: | hackers(at)postgreSQL(dot)org |
| Subject: | Re: [HACKERS] permission issue |
| Date: | 1998-02-27 15:06:31 |
| Message-ID: | 199802271506.KAA06363@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
>
> Tables INS (x int) and SEL (y int) are owned by dbadm, for another
> user SELECT granted on SEL, INSERT - on INS.
>
> Should another user be able to do
>
> insert into ins select y from sel where x = y;
My guess is that the other user doesn't have SELECT permissions on
INS.y, so this should fail, no?
>
> or not ?
> Currently, PG allows this. Backend tries to check
> (in execMain.c:ExecCheckPerms()) is READ access to
> table being changed granted to user or not, but this check
> seems to be quite stupid:
>
> qvars = pull_varnos(parseTree->qual);
> tvars = pull_varnos((Node *) parseTree->targetList);
> if (intMember(resultRelation, qvars) ||
> intMember(resultRelation, tvars))
>
> : pull_varnos is very simple and just skips expressions in
> qual & target list.
>
> We have to either get rid of this check or change it.
>
> What do you think ?
> How "big boys" handle this ?
>
> Vadim
>
>
--
Bruce Momjian | 830 Blythe Avenue
maillist(at)candle(dot)pha(dot)pa(dot)us | Drexel Hill, Pennsylvania 19026
+ If your life is a hard drive, | (610) 353-9879(w)
+ Christ can be your backup. | (610) 853-3000(h)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Brett McCormick | 1998-02-27 15:06:46 | Re: [HACKERS] Money type display |
| Previous Message | Bruce Momjian | 1998-02-27 15:00:43 | Re: [HACKERS] INT2OID, etc. |