| From: | "Florian Pflug" <fgp(at)phlo(dot)org> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Strange permission problem regarding pg_settings |
| Date: | 2003-12-11 02:32:45 |
| Message-ID: | 32857.212.183.86.153.1071109965.squirrel@mail.brumma.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tom Lane said:
> Hm. By rights it *should* fail, since the ACL is clearly not granting
UPDATE permissions to anybody.
>
> The fact that it fails to fail seems to be because the rules on
> pg_settings rewrite the UPDATE into DO INSTEAD NOTHING (which does
nothing, in particular makes no permission checks) and a SELECT, which
only requires read-permission on pg_settings. This is probably bogus
and we ought to see what we can do about fixing it. (And we'd better
fix initdb to grant UPDATE on pg_settings to public, too.)
>
> Now, why does Florian see a permissions failure (which is really the
*right* behavior) when we don't? He didn't say exactly which PG version
he was running, but I see a likely-related bug fix between 7.3.2 and
7.3.3:
Sorry for not specifing the exact postgres versions involved initially - I
believed that the problem were different default on redhat and debian, or
different compiling options...
RedHat-9: postgres 7.3.2-3
debian: postgres 7.3.2r1-5 (sid backport)
I tried setting the relacl for the pg_settings table to {=rw}, but I still
get permission denied. To double-check, I then set it to {=}, and this
lets not only the update fail, but also select now gives "permission
denied" (The correct behaviour I believe).
greetings, Florian Pflug
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mike Nolan | 2003-12-11 02:39:17 | Any commercial shopping cart packages using postgresql? |
| Previous Message | Keith C. Perry | 2003-12-11 02:19:46 | Re: Moving a database between servers |