| From: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | PostgreSQL Developers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Bogus permissions display in 7.4 |
| Date: | 2004-05-17 15:37:20 |
| Message-ID: | Pine.LNX.4.58.0405171707410.19985@sablons.cri.ensmp.fr |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Dear Tom,
> > (2) Although I subscribe your first 3 points, I do not like the 4th point.
>
> I didn't either. After working on it some more, what I want to do now
> is keep the ACL representation the same as it is, but implicitly assume
> that the owner has all grant options whether the ACL says so or not.
Mmmm... So you still want to stick to "exceptionnal" rights that are
managed somewhere explicitely in the backend code. I would much prefer
something explicit in the acl, because it would make the path to roles
easier, and I'm a little bit interested in this path.
What I was "implicitely" suggesting thru questions in my mail was an
approach where:
(0) all rights are always explicit, null means "no rights".
So the algorithm to check accesses would be:
- if (it is a super-user) access granted;
else interpret explicitly ACL;
Otherwise you have everywhere:
- if (it is a super-user) access granted;
elsif (it is the owner and we just need grant options) access granted;
else interpret acl explicitly;
As I've pointed out with some bug reports, the current middle section
is quite buggy at the time, and I think I've found another one not yet
reported bugs in this area.
As we're dealing with security, the simpler the better. Having
implicit things just make the code harder to understand and check
because there is always a special case, and looking at the acl
from userland needs some interpretation of things that are not there.
(1) "grant option" rights are given at creation time explicitly, maybe
with your special user 0. They could then be revoked by the owner.
(2) if they are revoked, they could be given back but only by the
super user, with something like:
GRANT ALL ON ... TO calvin WITH GRANT OPTIONS FROM GRANTOR _SYSTEM;
It is a point that the super user should be able to create and
manage all rights, including explicit grantors.
So only the superuser is special in this approach, and owners are
only managed especially when creating an object, but not after.
This should make the actual code simpler and more explicit, so I feel that
it would less likely be buggy, and adding roles after that would be more
straightforward.
Well, all this is just my little opinion, and I'm not the one coding.
Have a nice day,
--
Fabien Coelho - coelho(at)cri(dot)ensmp(dot)fr
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Steve Atkins | 2004-05-17 15:45:47 | Re: Email data type |
| Previous Message | Robert Treat | 2004-05-17 15:27:11 | Re: Call for 7.5 feature completion |