Josh Berkus <josh@agliodbs.com> writes:
> The second, and bigger problem I can see is that this opens a whole new
> set of security holes by allowing an end-run around the existing access
> control structure with attackers can try to exploit.
Yeah. I'm very concerned about any scheme that invents additional
sources of permissions that aren't visible in the object's own ACL list.
Even if it's secure in its own terms, it'll blindside people and
programs who are used to the existing ways of doing things.
From what I recall of prior discussions, there is rough consensus that
the two types of facilities you mentioned (setting up default ACLs to be
applied at creation of objects created later, and providing a way to
change multiple objects' permissions with one GRANT) are desirable,
though there is plenty of argument about the details. Neither of these
result in creating any new sources of permissions --- a given object's
ACL is still the whole truth.
regards, tom lane