I wrote:
> I think the correct solution involves having recursive_revoke look to
> see if D still has the rights from somewhere else before it goes off to
> recursively revoke D's grants. This makes it correctly implement the
> notion that one always has the union of the rights granted by anyone.
While implementing this I noticed a fine point, which is that we need a
defense to keep people from setting up irrevocable circular chains of
rights. Consider:
1. A, the object owner, grants some privileges with grant options to B.
2. B re-grants the same to C.
3. C re-grants the same to B.
Now A effectively cannot revoke B's privileges, because recursive_revoke
will see that B still holds the grant from C, and not recurse.
B does not even need a partner in crime ... he can just re-grant to
himself with grant option, and he's got irrevocable rights.
Fortunately, it's not too hard for aclinsert to detect an attempt to set
up such a circular chain, and reject it. What I have the code doing
when an attempt to grant grant options is made is (a) make a copy of the
ACL in which all grant options for the would-be grantee are removed with
DROP_CASCADE, then (b) examine this ACL to verify that the would-be
grantor still has grant options for the proposed rights. If so, he
didn't derive the rights directly or indirectly from the grantee, and
the grant is not circular.
regards, tom lane