| From: | Kevin Witten <kwitten(at)qdt(dot)com> |
|---|---|
| To: | Bruce Momjian <maillist(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | PostgreSQL-development <hackers(at)postgreSQL(dot)org> |
| Subject: | Re: [HACKERS] Postgres acl (fwd) |
| Date: | 1998-01-06 18:01:03 |
| Message-ID: | 34B2715F.6C1E73A3@qdt.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Bruce Momjian wrote:
>
> Forwarded message:
> > > I believe I found a bug. If a user other than the postgres superuser is
> > > given permission to create databases, then he should be able to destroy
> > > the databases he creates. Currently he can't, at least in version 6.2.1
> > > complied for SunOS 5.5. Only the poostgres superuser can delete
> > > databases. If otherusers try they get the following error message:
> > >
> > > "WARN:pg_database: Permission denied.
> > > destroydb: database destroy failed on tmpdb."
> > >
> > > eventhough this user is the database admin for tmpdb as shown in the
> > > pd_database table.
> > >
> > >
> >
> > Here is the fix. This bug has been around for a while:
> >
> > ---------------------------------------------------------------------------
> >
> > *** ./aclchk.c.orig Tue Jan 6 00:10:25 1998
> > --- ./aclchk.c Tue Jan 6 00:18:40 1998
> > ***************
> > *** 410,416 ****
> > * pg_database table, there is still additional permissions
> > * checking in dbcommands.c
> > */
> > ! if (mode & ACL_AP)
> > return ACLCHECK_OK;
> > }
> >
> > --- 410,416 ----
> > * pg_database table, there is still additional permissions
> > * checking in dbcommands.c
> > */
> > ! if ((mode & ACL_WR) || (mode & ACL_AP))
> > return ACLCHECK_OK;
> > }
>
> I am now thinking about this patch, and I don't think I like it. The
> original code allowed APPEND-only for users who can create databases,
> but no DELETE. The patch gives them DELETE permission, so they can
> destroy their database, but they could issue the command:
>
> select from pg_database
>
> and destroy everyone's. 'drop database' does checkes, but the acl check
> is done in the executor, and it doesn't know if the the checks have been
> performed or not.
>
> Can someone who has permission to create databases be trusted not to
> delete others? If we say no, how do we make sure they can change
> pg_database rows on only databases that they own?
>
> --
> Bruce Momjian
> maillist(at)candle(dot)pha(dot)pa(dot)us
Can't you check to see if they own the database before you let them
delete the row in pg_database. If a row is deleted from pg_database, it
is disallowed unless the userid is the same as the datdba field in that
row?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter T Mount | 1998-01-06 18:11:32 | Re: [HACKERS] I want to change libpq and libpgtcl for better handling of large query results |
| Previous Message | The Hermit Hacker | 1998-01-06 17:11:19 | Re: [HACKERS] Postgres acl (fwd) |