| Lists: | pgsql-hackerspgsql-patches |
|---|
| From: | Jeff Davis <pgsql(at)j-davis(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | new warning message |
| Date: | 2008-02-27 22:03:11 |
| Message-ID: | 1204149791.16886.45.camel@dogma.ljc.laika.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers pgsql-patches |
On IRC today someone brought up a problem in which users were still able
to connect to a database after a "REVOKE CONNECT ... FROM theuser". The
reason theuser is still able to connect is because PUBLIC still has
privileges to connect by default (AndrewSN was the one who answered
this).
Would it be reasonable to throw a warning if you revoke a privilege from
some role, and that role inherits the privilege from some other role (or
PUBLIC)?
Regards,
Jeff Davis
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Jeff Davis <pgsql(at)j-davis(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: new warning message |
| Date: | 2008-02-27 22:42:18 |
| Message-ID: | 10142.1204152138@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers pgsql-patches |
Jeff Davis <pgsql(at)j-davis(dot)com> writes:
> Would it be reasonable to throw a warning if you revoke a privilege from
> some role, and that role inherits the privilege from some other role (or
> PUBLIC)?
This has been suggested and rejected before --- the consensus is it'd
be too noisy.
Possibly the REVOKE manual page could be modified to throw more stress
on the point.
regards, tom lane
| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Jeff Davis <pgsql(at)j-davis(dot)com>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: [HACKERS] new warning message |
| Date: | 2008-03-03 19:17:46 |
| Message-ID: | 200803031917.m23JHkP19631@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers pgsql-patches |
Tom Lane wrote:
> Jeff Davis <pgsql(at)j-davis(dot)com> writes:
> > Would it be reasonable to throw a warning if you revoke a privilege from
> > some role, and that role inherits the privilege from some other role (or
> > PUBLIC)?
>
> This has been suggested and rejected before --- the consensus is it'd
> be too noisy.
>
> Possibly the REVOKE manual page could be modified to throw more stress
> on the point.
Agreed, patch attached and applied.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| Attachment | Content-Type | Size |
|---|---|---|
| /rtmp/diff | text/x-diff | 1.2 KB |