Re: AW: [HACKERS] Solution to the pg_user passwd problem !?? (c)

I wrote:
>     The  'grant  select'  on  views  is  a  IMHO  urgent required
>     feature.  I'll take a look on the code  checking  permissions
>     and the rewrite system.

    Interesting - first of all an unprivileged user cannot create
    any view "pg_rewrite: Permission denied".  I  think  this  is
    absolutely wrong.

    Anyway  - if we add a flag to the rangetable entry that tells
    the executor in ExecCheckPerms() if this rte  came  from  the
    rewriting  due  to  a view or not, it can skip the permission
    check on that and the tests will pass.

    But then we'll run into a little security hole  problem.   If
    the  permissions  only  rely  on access to the view, the view
    owner  (or  public  as  long  as  ACL_WORLD_DEFAULT  contains
    ACL_RD)  can select throug the view. So we must check on view
    creation that the creator of the view has proper  permissions
    to what the view selects.  And in addition if not all objects
    the  view  selects  are  granted   to   public,   we   should
    automagically revoke public from the view so the creator must
    explicitly grant access to the view.

    Anything forgotten?


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#======================================== jwieck@debis.com (Jan Wieck) #