I think it should stay that way - being able to deny oneself a privilege is a
good way to make sure that one does what one does consciously. I know the
root password on many machines, but I still do almost everything through a
normal account - that way I have to make a conscious decison to become
dangerous :-) and if I accidentaly try to do something dangerous as an
ordinary user a) it doesn't happen and b) I'm reminded how dangerous it is.
I still have the ability to do dangerous things, I just have to take an extra
step.
I agree with your point regarding RULE permission and GRANT ALL; however,
GRANT ALL really should grant ALL, don't you think? Maybe add a variant
"GRANT NORMAL", where "NORMAL" is a mask of permissions set by the
administrator (of the given database of course).�
Regards, K.
Am 21-Oct-98 schrieb Jan Wieck:
> Hi,
>
> while writing the chapter about Rules and permissions I
> remember that there was a problem with non privileged users.
> As soon as someone without superuser privs does a GRANT or
> REVOKE on his relations, he must GRANT explicitly to himself
> too or will get a "permission denied". I think since the
> table owner allway has the right to change ACL's, this
> doesn't make sense. I'll dig it up and send in a patch soon.
>
> While doing this, should I exclude RULE permission from GRANT
> ALL? I think it's dangerous to have it included, because the
> usual way to give full access is a GRANT ALL and someone
> might forget that this includes the right to disable rule
> actions for a moment. The output of pg_rules gives anyone the
> knowledge to reinstall the correct rules after. An explicitly
> required GRANT RULE is better IMHO. And the RULE right isn't
> standard, is it?
>
>
> Jan
>
> --
>
>#======================================================================#
># It's easier to get forgiveness for being wrong than for being right. #
># Let's break this rule - forgive me. #
>#======================================== jwieck(at)debis(dot)com (Jan Wieck) #
>
>
>
---
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (auer(at)kom(dot)id(dot)ethz(dot)ch) Geschaeft/work +41-1-6327531
Kommunikation, ETHZ RZ Privat/home +41-1-4517941
Clausiusstrasse 59 Fax +41-1-6321225
CH-8092 ZUERICH Switzerland