Re: AW: [HACKERS] Solution to the pg_user passwd problem !?? (c)

I wrote:
> The 'grant select' on views is a IMHO urgent required
> feature. I'll take a look on the code checking permissions
> and the rewrite system.

Interesting - first of all an unprivileged user cannot create
any view "pg_rewrite: Permission denied". I think this is
absolutely wrong.

Anyway - if we add a flag to the rangetable entry that tells
the executor in ExecCheckPerms() if this rte came from the
rewriting due to a view or not, it can skip the permission
check on that and the tests will pass.

But then we'll run into a little security hole problem. If
the permissions only rely on access to the view, the view
owner (or public as long as ACL_WORLD_DEFAULT contains
ACL_RD) can select throug the view. So we must check on view
creation that the creator of the view has proper permissions
to what the view selects. And in addition if not all objects
the view selects are granted to public, we should
automagically revoke public from the view so the creator must
explicitly grant access to the view.

Anything forgotten?

Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#======================================== jwieck(at)debis(dot)com (Jan Wieck) #