Re: [HACKERS] Re: Bug#21681: postgresql: Doesn't allow granting to www-data - Mailing list pgsql-hackers

From Oliver Elphick
Subject Re: [HACKERS] Re: Bug#21681: postgresql: Doesn't allow granting to www-data
Date
Msg-id 199804281547.QAA25269@linda.lfix.co.uk
Whole thread Raw
In response to Re: [HACKERS] Re: Bug#21681: postgresql: Doesn't allow granting to www-data  ("Thomas G. Lockhart" <lockhart@alumni.caltech.edu>)
List pgsql-hackers
"Thomas G. Lockhart" wrote:
  >"Don't want to change"? Probably not. We're trying to figure out how to
  >cope with an ever-increasing number of interested users _and_
  >developers, and don't always react quickly to good suggestions.

Don't take it personally!  I'm happy to accept the developers' decisions,
since you know the code much better.

  >The topic just came up recently, as I recall, and your suggestions are
  >good. Do you really want the patch applied which disables the more
  >general user names,

I would prefer to have Unix user names allowed throughout.  However, if
the developers decide not to do this, the patch to createuser is
required to maintain consistency.  From Bruce's original reply,  I had
thought that was the position.

  >                   or do you want to move more slowly and try to get
  >full user names in v6.4 (we have several months to get this right; in
  >fact we may already have them; see below :)

By all means, lets have them!

  >> However there is, as you say in another mail, no convenient way of
  >> doing that automatically.  We need an environment variable or a
  >> command-line option to specify the user and (optionally) password.
  >
  >Sorry, I didn't follow the whole discussion. Is the problem only with
  >explicit CREATE USER and GRANT commands in SQL, or are there other
  >interfaces which would show problems too (you mention command-line
  >options above, but I don't know to what).

Sorry; that's what comes of running a three-way discussion.  The problem is
that you can't (I think) start a connection while supplying another
user-name than your login-name, except by the -u option to psql.  This
leads to an interactive prompt for name and password.  This is not
convenient for CGI scripts on web-servers (which is how the original
problem manifested itself.)  It seems to be desirable to be able to
specify the postgres user name while starting the connection.

  >Oh, I just tried something:
  >
  >tgl=> create user "hi-there";
  >CREATE USER

  >Isn't this what you want?? I haven't figured out how to get GRANT to
  >work, but it seems to swallow the double-quoted user name as it
  >should...

Yes it is; I hadn't tried double-quotes, because single-quotes are used
for strings - it didn't occur to me! (Incidentally, WHY double-quotes here
instead of single-quotes? Surely that's against SQL practice?) It doesn't
work for GRANT, though, with either kind of quote:

  bray->  grant all on address to www-data;
  ERROR:  aclparse: non-existent user "www"
  bray=> grant all on address to "www-data";
  ERROR:  aclparse: mode flags must use "arwR"
  bray=> grant all on address to 'www-data';
  ERROR:  parser: parse error at or near "'"


Overall, it seems to me that a user-name is just a string, that is used
as a key into pg_shadow.  The SQL92 definition allows it to be a
character string literal.  So there ought to be no problem in specifying
a string rather than an identifier in all the relevant places.
(I speak in happy ignorance of whatever the real problems may be!)


--
Oliver Elphick                                Oliver.Elphick@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver

PGP key from public servers; key ID 32B8FAA1

                 ========================================
    Come to me, all you who labour and are heavily laden, and I will
    give you rest. Take my yoke upon you, and learn from me; for I am
    meek and lowly in heart, and you shall find rest for your souls.
    For my yoke is easy and my burden is light.    (Matthew 11: 28-30)



pgsql-hackers by date:

Previous
From: "Jose' Soares Da Silva"
Date:
Subject: copy command
Next
From: "Oliver Elphick"
Date:
Subject: Re: [HACKERS] Re: User names cannot contain `-'