| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | josh(at)agliodbs(dot)com |
| Cc: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, Marko Kreen <markokr(at)gmail(dot)com>, Bruno Wolff III <bruno(at)wolff(dot)to>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: [HACKERS] Inconsistent syntax in GRANT |
| Date: | 2006-01-06 23:36:43 |
| Message-ID: | 23680.1136590603@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
Josh Berkus <josh(at)agliodbs(dot)com> writes:
>> BTW, what about lastval()?
> Overal, it's hard to get too concerned about this, since a user can't
> really get anything out of lastval() if he doesn't have permissions on the
> sequence he's trying to query, in order to run currval.
Well, no, consider my example to Marko: there could be a SECURITY
DEFINER function that has the privilege to run nextval(). After
that, if lastval() isn't privilege-checked then code that doesn't
have any privilege at all on the sequence could get at the value.
However, looking at the source code I see that lastval() does in fact
insist on SELECT rights on the sequence the value is coming from.
So I guess we can just leave that as-is.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Stark | 2006-01-06 23:36:52 | Re: Improving N-Distinct estimation by ANALYZE |
| Previous Message | Josh Berkus | 2006-01-06 23:26:14 | Re: Improving N-Distinct estimation by ANALYZE |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marko Kreen | 2006-01-06 23:44:12 | Re: [HACKERS] Inconsistent syntax in GRANT |
| Previous Message | Josh Berkus | 2006-01-06 23:21:25 | Re: [HACKERS] Inconsistent syntax in GRANT |