Re: [HACKERS] Postgres acl (fwd)
| От | Bruce Momjian |
|---|---|
| Тема | Re: [HACKERS] Postgres acl (fwd) |
| Дата | |
| Msg-id | 199801061921.OAA09822@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Re: [HACKERS] Postgres acl (fwd) (The Hermit Hacker <scrappy@hub.org>) |
| Список | pgsql-hackers |
> > On Tue, 6 Jan 1998, Bruce Momjian wrote: > > > > > > > On Tue, 6 Jan 1998, Bruce Momjian wrote: > > > > > > > Can someone who has permission to create databases be trusted not to > > > > delete others? If we say no, how do we make sure they can change > > > > pg_database rows on only databases that they own? > > > > > > deleting a database is accomplished using 'drop database', no? > > > Can the code for that not be modified to see whether the person dropping > > > the database is the person that owns it *or* pgsuperuser? > > > > It already does the check, but issues an SQL from the C code to delete > > from pg_database. I believe any user who can create a database can > > issue the same SQL command from psql, bypassing the drop database > > checks, no? > > Okay, I understand what you mean here...so I guess the next > question is should system tables be directly modifyable by non-superuser? > > For instance, we have a 'drop database' SQL command...can we > restrict 'delete from pg_database' to just superuser, while leaving 'drop > database' open to those with createdb privileges? Same with 'create > user', and, possible, a 'create group' command instead of 'insert into > pg_group'? Yes, we must replace the SQL commands in commands/dbcommands.c with lower-level C table access routines so we do not have to go to the executor, where the access permissions are checked. -- Bruce Momjian maillist@candle.pha.pa.us
В списке pgsql-hackers по дате отправления: