KaiGai Kohei wrote:
> Alvaro Herrera wrote:
>> Tom Lane wrote:
>>> KaiGai Kohei <kaigai@kaigai.gr.jp> writes:
>>>> BTW, currently, the default ACL of largeobject allows anything for owner
>>>> and nothing for world. Do you have any comment for the default behavior?
>>> Mph. I think the backlash will be too great. You have to leave the
>>> default behavior the same as it is now, ie, world access.
>> BTW as a default it is pretty bad. Should we have a GUC var to set the
>> default LO permissions?
>
> It seems to me a reasonable idea in direction.
> However, it might be better to add a GUC variable to turn on/off LO
> permission feature, not only default permissions.
> It allows us to control whether the privilege mechanism should perform
> in backward compatible, or not.
Now we have two options:
1. A GUC variable to set the default largeobject permissions.
SET largeobject_default_acl = [ ro | rw | none ] - ro : read-only - rw : read-writable - none : nothing
It can control the default acl which is applied when NULL is set on the pg_largeobject_meta.lomacl. However,
lo_unlink()checks ownership on the largeobject, so it is not enough compatible with v8.4.x or prior.
2. A GUC veriable to turn on/off largeobject permissions.
SET largeobject_compat_dac = [ on | off ]
When the variable is turned on, largeobject dac permission check is not applied as the v8.4.x or prior version did.
So,the variable is named "compat" which means compatible behavior. It also does not check ownership on lo_unlink().
My preference is the second approach.
What's your opinion?
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>