On Wed, 31 Jul 2002, Lamar Owen wrote:
> On Tuesday 30 July 2002 11:51 pm, Tom Lane wrote:
> > Lamar Owen <lamar(dot)owen(at)wgcr(dot)org> writes:
> > >> CREATE DATABASE foo WITH LOCATION = 'BAR'
> > > And requires you to be a database superuser anyway.
> > CREATE DATABASE does not require superuser privs, only createdb
> > which is not usually considered particular dangerous.
> Pardon my misspeak, as there are those two components to the privs. My error.
> Typically normal users aren't given create database privileges -- at
> least on my systems.
> ...But I'm not convinced that the security angle is a
> valid reason. The consistency reason is enough alone to warrant it
> being that way.
We've already had three incorrect security analysis of this in the
space of a couple of hours, from people are reasonably familiar
with postgres and (presumably) use it all the time, and you think
this is not a security problem?!
Anyway, I'll shut up now.
Curt Sampson <cjs(at)cynic(dot)net> +81 90 7737 2974 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC
In response to
pgsql-hackers by date
|Next:||From: Yuva Chandolu||Date: 2002-07-31 04:46:57|
|Subject: Re: Outer join differences|
|Previous:||From: Curt Sampson||Date: 2002-07-31 04:40:21|
|Subject: Re: Rules and Views |