PostgreSQL 7.0RC1 access control bug with references - Mailing list pgsql-bugs
| From | Dan Franklin |
|---|---|
| Subject | PostgreSQL 7.0RC1 access control bug with references |
| Date | |
| Msg-id | 4.3.1.2.20000427132451.00af8290@mail.infoplease.com Whole thread Raw |
| List | pgsql-bugs |
==================================================================
POSTGRESQL BUG REPORT TEMPLATE
==================================================================
Your name : Dan Franklin
Your email address : dfranklin@infoplease.com
System Configuration
---------------------
Architecture (example: Intel Pentium) : Intel Pentium III stepping 03
Operating System (example: Linux 2.0.26 ELF) : Linux 2.2.14-5.0
PostgreSQL version (example: PostgreSQL-6.5.1): PostgreSQL-7.0RC1
Compiler used (example: gcc 2.8.0) : egcs-2.91.66
Please enter a FULL description of your problem:
------------------------------------------------
If a table T has a column FK that references another table K,
and a user has full access to table T but only select access to table K,
then inserting a row into T gets "Permission denied".
Since inserting a row into T never requires K to be modified, only
select access on the modified table should be required.
Please describe a way to repeat the problem. Please try to provide a
concise reproducible example, if at all possible:
----------------------------------------------------------------------
The following test case is a shell script that creates a 'reftest'
database and a user of that database, creates a primary/foreign-key
relationship, grants limited access to the tables, and then tries to
do the insert. Two sets of tables are created to make it easy to see
the permissions issue.
------------------------------------------------------------------------------
## This test case illustrates that if one table has a foreign key
## referencing another table, then any user wishing to insert rows into
## the foreign-key table must have read-write access on the primary-key
## table, rather than just read.
# Show version
psql --version
## Database for test case
createdb reftest
# Create two primary tables and two tables referencing them,
# with different permissions.
psql reftest <<EOF
create table color1 (
id serial,
value varchar(20) unique
);
insert into color1(value) values('red');
insert into color1(value) values('blue');
create table color2 (
id serial,
value varchar(20) unique
);
insert into color2(value) values('red');
insert into color2(value) values('blue');
create table crayon1 (
id serial,
name text,
color varchar(20) references color1(value)
);
create table crayon2 (
id serial,
name text,
color varchar(2) references color2(value)
);
create user webuser nocreatedb nocreateuser;
grant select,update,delete on color1 to webuser;
grant select on color2 to webuser;
grant all on crayon1,crayon2 to webuser;
-- Show permissions
\z
EOF
psql -e -U webuser reftest <<--EOF
-- The first one works
insert into crayon1(name,color) values('C1', 'red');
select * from crayon1;
-- The 2nd one gets "Permission denied"
insert into crayon2(name,color) values('C2', 'red');
select * from crayon2;
--EOF
---------------------------------END SCRIPT ---------------------------------
The output from the last part of the script (the 2nd psql invocation) is:
insert into crayon1(name,color) values('C1', 'red');
INSERT 24320 1
select * from crayon1;
id | name | color
----+------+-------
1 | C1 | red
(1 row)
insert into crayon2(name,color) values('C2', 'red');
ERROR: color2: Permission denied.
select * from crayon2;
id | name | color
----+------+-------
(0 rows)
The "Permission denied" is a bug; granting select on color2 should be
sufficient to allow inserting into crayon2.
If you know how this problem might be fixed, list the solution below:
---------------------------------------------------------------------
(Nope)
pgsql-bugs by date: