Re: [HACKERS] Postgres acl (fwd)

Forwarded message:
> > I believe I found a bug. If a user other than the postgres superuser is
> > given permission to create databases, then he should be able to destroy
> > the databases he creates. Currently he can't, at least in version 6.2.1
> > complied for SunOS 5.5. Only the poostgres superuser can delete
> > databases. If otherusers try they get the following error message:
> >
> > "WARN:pg_database: Permission denied.
> > destroydb: database destroy failed on tmpdb."
> >
> > eventhough this user is the database admin for tmpdb as shown in the
> > pd_database table.
> >
> >
>
> Here is the fix.  This bug has been around for a while:
>
> ---------------------------------------------------------------------------
>
> *** ./aclchk.c.orig    Tue Jan  6 00:10:25 1998
> --- ./aclchk.c    Tue Jan  6 00:18:40 1998
> ***************
> *** 410,416 ****
>            * pg_database table, there is still additional permissions
>            * checking in dbcommands.c
>            */
> !         if (mode & ACL_AP)
>               return ACLCHECK_OK;
>       }
>
> --- 410,416 ----
>            * pg_database table, there is still additional permissions
>            * checking in dbcommands.c
>            */
> !         if ((mode & ACL_WR) || (mode & ACL_AP))
>               return ACLCHECK_OK;
>       }

I am now thinking about this patch, and I don't think I like it.  The
original code allowed APPEND-only for users who can create databases,
but no DELETE.  The patch gives them DELETE permission, so they can
destroy their database, but they could issue the command:

    select from pg_database

and destroy everyone's.  'drop database' does checkes, but the acl check
is done in the executor, and it doesn't know if the the checks have been
performed or not.

Can someone who has permission to create databases be trusted not to
delete others?  If we say no, how do we make sure they can change
pg_database rows on only databases that they own?

--
Bruce Momjian
maillist@candle.pha.pa.us