Обсуждение: Bug #931: bugs "create user" "alter user"

Поиск
Список
Период
Сортировка

Bug #931: bugs "create user" "alter user"

От
pgsql-bugs@postgresql.org
Дата:
techi (snieznik@interia.pl) reports a bug with a severity of 2
The lower the number the more severe it is.

Short Description
bugs "create user" "alter user"

Long Description

   I think i have found a bug . I am  using PostgreSQL 7.3.2 on a
   platform WindowsXP under cygwin. And the bug looks like :

   As a superuser i make a new user called "Paul" with a command :

    CREATE USER Paul ;

    and that's ok , when i change user , and i am as Paul trying to
    create a database or user.

 (FIRST METHOD)
     CREATE USER Michael ;    or CREATE DATABASE school  ;
     The output is for both commands : PERMISSION DENIED
            and that's ok.

      BUT when I as a superuser create a new user called "Paul" with
      command
   (SECOND METHOD)
       CREATE USER Paul WITH NOCREATEDB NOCREATEUSER ;
       The output is CREATE USER .
       and here is a bug .
         When I am logged to psql as a new user techi and I am trying
         to create a database or create user ---- and unfortunatelly           it is working .
         Paul is allowed to create a new user acount and a new
         database but he couldn't do it !!!!!!!!!!!!!
         There is a similar bug , when I create user by the first
         method( i am logged to psql as superuser), and after
         creating a new user "Robert" I change attributes of a new     user account
         typing command
          ALTER USER Robert WITH CREATEUSER ;
          The output is ok .
          But something goes wrong , the user Rober is also allowed to
          create a database!!!!!!!!!!! he shouldn't do it !!!!!!!


           that's all i wanted to tell you .

           take care

                   best regards

                    techi

Sample Code


No file was uploaded with this report

Re: Bug #931: bugs "create user" "alter user"

От
Stephan Szabo
Дата:
On Thu, 3 Apr 2003 pgsql-bugs@postgresql.org wrote:

> techi (snieznik@interia.pl) reports a bug with a severity of 2
> The lower the number the more severe it is.

>  (FIRST METHOD)
>      CREATE USER Michael ;    or CREATE DATABASE school  ;
>      The output is for both commands : PERMISSION DENIED
>             and that's ok.
>
>       BUT when I as a superuser create a new user called "Paul" with
>       command
>    (SECOND METHOD)
>        CREATE USER Paul WITH NOCREATEDB NOCREATEUSER ;
>        The output is CREATE USER .
>        and here is a bug .
>          When I am logged to psql as a new user techi and I am trying
>          to create a database or create user ---- and unfortunatelly
>          it is working .
>          Paul is allowed to create a new user acount and a new
>          database but he couldn't do it !!!!!!!!!!!!!

I'm not sure what you're saying here. Are you saying that paul was
allowed and techi wasn't and both were created the same way?

>           ALTER USER Robert WITH CREATEUSER ;
>           The output is ok .
>           But something goes wrong , the user Rober is also allowed to
>           create a database!!!!!!!!!!! he shouldn't do it !!!!!!!

I think createuser implies superuser access currently so nocreatedb is
trumped by that.  The man page in current version seems to say that for
ALTER USER (although the text is kind of poor).