Bruce Momjian wrote:
>
> Forwarded message:
> > > I believe I found a bug. If a user other than the postgres superuser is
> > > given permission to create databases, then he should be able to destroy
> > > the databases he creates. Currently he can't, at least in version 6.2.1
> > > complied for SunOS 5.5. Only the poostgres superuser can delete
> > > databases. If otherusers try they get the following error message:
> > >
> > > "WARN:pg_database: Permission denied.
> > > destroydb: database destroy failed on tmpdb."
> > >
> > > eventhough this user is the database admin for tmpdb as shown in the
> > > pd_database table.
> > >
> > >
> >
> > Here is the fix. This bug has been around for a while:
> >
> > ---------------------------------------------------------------------------
> >
> > *** ./aclchk.c.orig Tue Jan 6 00:10:25 1998
> > --- ./aclchk.c Tue Jan 6 00:18:40 1998
> > ***************
> > *** 410,416 ****
> > * pg_database table, there is still additional permissions
> > * checking in dbcommands.c
> > */
> > ! if (mode & ACL_AP)
> > return ACLCHECK_OK;
> > }
> >
> > --- 410,416 ----
> > * pg_database table, there is still additional permissions
> > * checking in dbcommands.c
> > */
> > ! if ((mode & ACL_WR) || (mode & ACL_AP))
> > return ACLCHECK_OK;
> > }
>
> I am now thinking about this patch, and I don't think I like it. The
> original code allowed APPEND-only for users who can create databases,
> but no DELETE. The patch gives them DELETE permission, so they can
> destroy their database, but they could issue the command:
>
> select from pg_database
>
> and destroy everyone's. 'drop database' does checkes, but the acl check
> is done in the executor, and it doesn't know if the the checks have been
> performed or not.
>
> Can someone who has permission to create databases be trusted not to
> delete others? If we say no, how do we make sure they can change
> pg_database rows on only databases that they own?
>
> --
> Bruce Momjian
> maillist@candle.pha.pa.us
Can't you check to see if they own the database before you let them
delete the row in pg_database. If a row is deleted from pg_database, it
is disallowed unless the userid is the same as the datdba field in that
row?