Re: [HACKERS] drop user doesn't remove rights from tables ...

> david=> create user sss;
> CREATE USER
> david=> select * from pg_shadow;
> usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd|valuntil
> --------+--------+-----------+--------+--------+---------+------+----------------------------
> postgres| 502|t |t |t |t | |Sat Jan 31 07:00:00 2037 CET
> david | 501|t |t |t |t | |
> sss | 503|f |t |f |t | |
> (3 rows)
>
> david=> create table test ( i int );
> CREATE
> david=> grant all on test to sss;
> CHANGE
> david=> \z test
> Database = david
> +----------+--------------------------+
> | Relation | Grant/Revoke Permissions |
> +----------+--------------------------+
> | test | {"=","sss=arwR"} |
> +----------+--------------------------+
> david=> drop user sss;
> DROP USER
> david=> \z test
> Database = david
> +----------+--------------------------+
> | Relation | Grant/Revoke Permissions |
> +----------+--------------------------+
> | test | {"=","503=arwR"} |
> +----------+--------------------------+
>
>
> All rights for user 'sss' remains there (but now identified by
> id=503). I'am not sure, if this is error, but it is dangerous.
> ('createuser' with id=503 will grant all rights to new user)

This has been pointed out before. Not sure how to deal with it.

--
Bruce Momjian | http://www.op.net/~candle
maillist(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026