Home > mailing lists

Re: DROP TABLE can be issued by schema owner as well as table owner - Mailing list pgsql-docs

From	Derrick Rice
Subject	Re: DROP TABLE can be issued by schema owner as well as table owner
Date	May 20, 2011 16:35:33
Msg-id	BANLkTimfjeEE-2EVnghk0HPynMNvMpMFmQ@mail.gmail.com Whole thread Raw
In response to	Re: DROP TABLE can be issued by schema owner as well as table owner (Guillaume Lelarge <guillaume@lelarge.info>)
Responses	Re: DROP TABLE can be issued by schema owner as well as table owner
List	pgsql-docs

Tree view

On Fri, May 20, 2011 at 12:18 PM, Guillaume Lelarge <guillaume@lelarge.info> wrote:

Well, for a specific object, any superuser, the database owner, the
schema owner, and the object owner could drop the object. This is not a
vulnerability.

It is not documented clearly. Any information not made clear is an opportunity for an error which leads to a vulnerability.

It is not a vulnerability in postgresql itself. It is a vulnerability in an ill-designed system, which can come about due to misinformation / lack of clarity.

Putting your first sentence ("For a specific object, any superuser, the database owner, the schema owner, and the object owner could drop the object.") in the documentation would remove the opportunity for error.

pgsql-docs by date:

From: Guillaume Lelarge
Date: 20 May 2011, 16:18:22
Subject: Re: DROP TABLE can be issued by schema owner as well as table owner

From: Alvaro Herrera
Date: 20 May 2011, 16:54:02
Subject: Re: DROP TABLE can be issued by schema owner as well as table owner

Re: DROP TABLE can be issued by schema owner as well as table owner - Mailing list pgsql-docs

Previous

Next