Re: Please advice TODO Item pg_hba.conf - Mailing list pgsql-hackers
From | Alvaro Herrera |
---|---|
Subject | Re: Please advice TODO Item pg_hba.conf |
Date | |
Msg-id | 20060423210630.GB4775@surnet.cl Whole thread Raw |
Responses |
Re: Please advice TODO Item pg_hba.conf
Re: Please advice TODO Item pg_hba.conf |
List | pgsql-hackers |
Gevik Babakhani wrote: Hi, > 2) The file parsenodes.h is updated to support > #define ACL_DATABASE_CONNECT I wouldn't call it ACL_DATABASE_CONNECT, just ACL_CONNECT. Currently we don't have any objects other than databases that need connecting to, but you never know. (It should be very easy to change this if you edit the patch itself, un-apply the old one and then re-apply the edited patch.) > 7) File postinit.c method "ReverifyMyDatabase" is updated by following: > First we check to make sure we are not in bootstrap processing mode. > If not, we check to see if the connected user has ACL_DATABASE_CONNECT. > If not, ereport(FATAL,.....) > (Perhaps we should change the error message later) Please make sure you use the established style for writing the ereport() call. The newlines you placed are not consistent with the rest of the code. Also the message text does not follow the guidelines (no initial capital letter, no ending period for the primary message; the other way around for secondary messages). I think it should be ereport(FATAL, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("couldn't connect to database %s", database_name), errdetail("User %s doesn't have the CONNECT privilege for database %s.", user_name,database_name))); Or something like that. Not sure about the wording. Also: are we giving too much information so that it can be considered a security problem? (I don't think so, because user and database name were passed by the user). > 8) File dbcommands.c method "createdb" is updated by following: > When a new database is being created we add a default ACL by > calling acldefault(ACL_OBJECT_DATABASE,.... and adding the default ACL > by new_record[Anum_pg_database_datacl - 1] = > PointerGetDatum(defaultAcl); If I'm not mistaken, the general principle for creating objects is leave their ACLs as NULLs. Later, when a privilege is going to be checked, a NULL is treated as if it contained whatever default privilege the object class has. So you should leave this code alone, and have the checking code replace the default ACL when it gets a NULL (this way, it's even more backwards compatible). > At this moment the owner of the database CAN REVOKE himself form the > ACL_OBJECT_DATABASE. If the implementation above is acceptable then I > can work on this one :) Hmm, what do you want to do about it? ISTM the owner should be able to revoke the privilege from himself ... (Maybe we could raise a WARNING whenever anyone revokes the last CONNECT privilege to a database, so that he can GRANT it to somebody before disconnecting.) Also I'm not sure if we have discussed what's the default (initial) privilege state. Do we want PUBLIC to have CONNECT privilege? -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc.
pgsql-hackers by date: