Обсуждение: ACL's
Hi, while writing the chapter about Rules and permissions I remember that there was a problem with non privileged users. As soon as someone without superuser privs does a GRANT or REVOKE on his relations, he must GRANT explicitly to himself too or will get a "permission denied". I think since the table owner allway has the right to change ACL's, this doesn't make sense. I'll dig it up and send in a patch soon. While doing this, should I exclude RULE permission from GRANT ALL? I think it's dangerous to have it included, because the usual way to give full access is a GRANT ALL and someone might forget that this includes the right to disable rule actions for a moment. The output of pg_rules gives anyone the knowledge to reinstall the correct rules after. An explicitly required GRANT RULE is better IMHO. And the RULE right isn't standard, is it? Jan -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #======================================== jwieck@debis.com (Jan Wieck) #
I think it should stay that way - being able to deny oneself a privilege is a good way to make sure that one does what one does consciously. I know the root password on many machines, but I still do almost everything through a normal account - that way I have to make a conscious decison to become dangerous :-) and if I accidentaly try to do something dangerous as an ordinary user a) it doesn't happen and b) I'm reminded how dangerous it is. I still have the ability to do dangerous things, I just have to take an extra step. I agree with your point regarding RULE permission and GRANT ALL; however, GRANT ALL really should grant ALL, don't you think? Maybe add a variant "GRANT NORMAL", where "NORMAL" is a mask of permissions set by the administrator (of the given database of course). Regards, K. Am 21-Oct-98 schrieb Jan Wieck: > Hi, > > while writing the chapter about Rules and permissions I > remember that there was a problem with non privileged users. > As soon as someone without superuser privs does a GRANT or > REVOKE on his relations, he must GRANT explicitly to himself > too or will get a "permission denied". I think since the > table owner allway has the right to change ACL's, this > doesn't make sense. I'll dig it up and send in a patch soon. > > While doing this, should I exclude RULE permission from GRANT > ALL? I think it's dangerous to have it included, because the > usual way to give full access is a GRANT ALL and someone > might forget that this includes the right to disable rule > actions for a moment. The output of pg_rules gives anyone the > knowledge to reinstall the correct rules after. An explicitly > required GRANT RULE is better IMHO. And the RULE right isn't > standard, is it? > > > Jan > > -- > >#======================================================================# ># It's easier to get forgiveness for being wrong than for being right. # ># Let's break this rule - forgive me. # >#======================================== jwieck@debis.com (Jan Wieck) # > > > --- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (auer@kom.id.ethz.ch) Geschaeft/work +41-1-6327531 Kommunikation, ETHZ RZ Privat/home +41-1-4517941 Clausiusstrasse 59 Fax +41-1-6321225 CH-8092 ZUERICH Switzerland
[Charset iso-8859-1 unsupported, filtering to ASCII...] > I think it should stay that way - being able to deny oneself a privilege is a > good way to make sure that one does what one does consciously. I know the > root password on many machines, but I still do almost everything through a > normal account - that way I have to make a conscious decison to become > dangerous :-) and if I accidentaly try to do something dangerous as an > ordinary user a) it doesn't happen and b) I'm reminded how dangerous it is. > I still have the ability to do dangerous things, I just have to take an extra > step. What do other DB's do. I assume they give the owner permission. -- Bruce Momjian | http://www.op.net/~candle maillist@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
> > [Charset iso-8859-1 unsupported, filtering to ASCII...] > > I think it should stay that way - being able to deny oneself a privilege is a > > good way to make sure that one does what one does consciously. I know the > > root password on many machines, but I still do almost everything through a > > normal account - that way I have to make a conscious decison to become > > dangerous :-) and if I accidentaly try to do something dangerous as an > > ordinary user a) it doesn't happen and b) I'm reminded how dangerous it is. > > I still have the ability to do dangerous things, I just have to take an extra > > step. > > What do other DB's do. I assume they give the owner permission. Hmmm... so it's a TODO for 6.5 after beeing discussed. Jan -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #======================================== jwieck@debis.com (Jan Wieck) #