Re: [Patch Review] TRUNCATE Permission
| От | Ryan Bradetich |
|---|---|
| Тема | Re: [Patch Review] TRUNCATE Permission |
| Дата | |
| Msg-id | e739902b0809011232q55d0bd00q72b8d8019104feb7@mail.gmail.com обсуждение исходный текст |
| Ответ на | [Patch Review] TRUNCATE Permission ("Ryan Bradetich" <rbradetich@gmail.com>) |
| Ответы |
Re: [Patch Review] TRUNCATE Permission
|
| Список | pgsql-hackers |
Hello all,
On Sun, Aug 31, 2008 at 11:55 PM, Ryan Bradetich <rbradetich@gmail.com> wrote:
I thought about this some more. I believe my suggestion was incorrect.
Since truncate_check_rel() prevents the use of the truncate command on
system catalogs, the TRUNCATE permission should always be stripped
from the system catalogs.
Here is the inconsistency I observed:
template1=# \z pg_catalog.pg_authid
Access privileges
Schema | Name | Type | Access privileges
------------+-----------+-------+---------------------
pg_catalog | pg_authid | table | rbrad=arwdDxt/rbrad
(1 row)
template1=# select rolname, rolcatupdate from pg_authid;
rolname | rolcatupdate
---------+--------------
rbrad | t
(1 row)
template1=# select has_table_privilege('pg_authid', 'truncate');
has_table_privilege
---------------------
t
(1 row)
template1=# truncate pg_authid;
ERROR: permission denied: "pg_authid" is a system catalog
The TRUNCATE fails even though \z and has_table_privilege() said I had permissions.
Compare with the DELETE privilege:
template1=# select has_table_privilege('pg_authid', 'delete');
has_table_privilege
---------------------
t
(1 row)
template1=# delete from pg_authid;
DELETE 1
Thanks,
- Ryan
On Sun, Aug 31, 2008 at 11:55 PM, Ryan Bradetich <rbradetich@gmail.com> wrote:
I do not believe this is a huge issue since truncate is prohibited on the system catalogs
by the truncate_check_rel().
template1=# truncate pg_authid;
ERROR: permission denied: "pg_authid" is a system catalog
I thought about this some more. I believe my suggestion was incorrect.
Since truncate_check_rel() prevents the use of the truncate command on
system catalogs, the TRUNCATE permission should always be stripped
from the system catalogs.
Here is the inconsistency I observed:
template1=# \z pg_catalog.pg_authid
Access privileges
Schema | Name | Type | Access privileges
------------+-----------+-------+---------------------
pg_catalog | pg_authid | table | rbrad=arwdDxt/rbrad
(1 row)
template1=# select rolname, rolcatupdate from pg_authid;
rolname | rolcatupdate
---------+--------------
rbrad | t
(1 row)
template1=# select has_table_privilege('pg_authid', 'truncate');
has_table_privilege
---------------------
t
(1 row)
template1=# truncate pg_authid;
ERROR: permission denied: "pg_authid" is a system catalog
The TRUNCATE fails even though \z and has_table_privilege() said I had permissions.
Compare with the DELETE privilege:
template1=# select has_table_privilege('pg_authid', 'delete');
has_table_privilege
---------------------
t
(1 row)
template1=# delete from pg_authid;
DELETE 1
Thanks,
- Ryan
В списке pgsql-hackers по дате отправления: