Re: [PATCH] DefaultACLs

KaiGai Kohei napsal(a):
> I tried to check the default ACL behavior.
>
> It works for me fine, good, but ...
>
>   postgres=> SELECT * INTO t3 FROM t1;
>   SELECT
>   postgres=> SELECT * FROM t3;
>    a |  b
>   ---+-----
>    1 | aaa
>    2 | bbb
>   (2 rows)
>
>   postgres=> INSERT INTO t3 VALUES (3,'ccc');
>   ERROR:  permission denied for relation t3
>
> In this case, the new table t3 is created with the default ACL which does not
> allow to insert any values by the owner of the relation.
>
> SELECT INTO does not check ACL_INSERT on the newly created tables, because
> we had been able to assume the table owner always has privilege to insert
> values into the new table.
> So, OpenIntoRel() didn't check this obvious privilege.
>
> But the default ACL feature breaks this assumption. The table owner may not
> have privilege to insert values into new tables.
> So, it is necessary to put actual access controls on the OpenIntoRel().
>   

That's strange behavior I agree. However I don't see how default ACLs
changed it in any way, owner could REVOKE his privileges before.

-- 
Regards
Petr Jelinek (PJMODOS)