On Fri, May 20, 2011 at 12:18 PM, Guillaume Lelarge
<guillaume@lelarge.info> wrote:
Well, for a specific object, any superuser, the database owner, the
schema owner, and the object owner could drop the object. This is not a
vulnerability.
It is not documented clearly. Any information not made clear is an opportunity for an error which leads to a vulnerability.
It is not a vulnerability in postgresql itself. It is a vulnerability in an ill-designed system, which can come about due to misinformation / lack of clarity.
Putting your first sentence ("For a specific object, any superuser, the database owner, the schema owner, and the object owner could drop the object.") in the documentation would remove the opportunity for error.