| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Subject: | Re: Role Self-Administration |
| Date: | 2021-10-05 16:23:33 |
| Message-ID: | CA+TgmoYph+PPPFZTEX_eS0aPsBADf6Nrc1byQ5bD7Z_H=y2LSw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Oct 4, 2021 at 10:57 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> - Disallow roles from being able to REVOKE role membership that they
> didn't GRANT in the first place.
I think that's not quite the right test. For example, if alice and bob
are superusers and alice grants pg_monitor to doug, bob should be able
to revoke that grant even though he is not alice.
I think the rule should be: roles shouldn't be able to REVOKE role
memberships unless they can become the grantor.
But I think maybe if it should even be more general than that and
apply to all sorts of grants, rather than just roles and role
memberships: roles shouldn't be able to REVOKE any granted permission
unless they can become the grantor.
For example, if bob grants SELECT on one of his tables to alice, he
should be able to revoke the grant, too. But if the superuser performs
the grant, why should bob be able to revoke it? The superuser has
spoken, and bob shouldn't get to interfere ... unless of course he's
also a superuser.
--
Robert Haas
EDB: http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fujii Masao | 2021-10-05 16:25:00 | Re: Allow escape in application_name |
| Previous Message | Robert Haas | 2021-10-05 16:16:06 | Re: Fix pg_log_backend_memory_contexts() 's delay |