Re: [BUGS] grant/revoke bug with delete/update - Mailing list pgsql-bugs
| From | Jerome ALET |
|---|---|
| Subject | Re: [BUGS] grant/revoke bug with delete/update |
| Date | |
| Msg-id | Pine.LNX.3.96.1000306093953.2073A-100000@cortex.unice.fr Whole thread Raw |
| In response to | Re: [BUGS] grant/revoke bug with delete/update (Peter Eisentraut <peter_e@gmx.net>) |
| Responses |
Re: [BUGS] grant/revoke bug with delete/update
|
| List | pgsql-bugs |
Peter, thanks for your support ! I'm surprised this bug isn't taken seriously by other people. about the fact that this isn't considered as a bug fix, I disagree entirely: it's a fix to an important security issue. It adds nothing. The only thing it changes is "du" instead of "w" in the acls, so people would have to dump and restore their databases when upgrading to a fixed version, but that's probably already the case for upgrading from 6.5x to 7.x (I don't know). Of course I agree that this fix needs a lot more testing than most bug fixes, and I haven't tested all the possibilities (particularly with sequences, which I have not tested at all). I'm even more surprised this wasn't noticed before, or do all users deal with databases as superuser ? For those of you who have any doubt, I suggest you look at a recent thread on BUGTRAQ (find it on http://www.securityfocus.com) to know what problems this bug can generate if used by bad people. I've even received a mail trying to explain me that update and delete are the same thing because you can update a record you want to delete but have no right to, to change its data... of course this is possible, but nevertheless the record isn't deleted, so update and delete really are two different things, not to mention you may want to give delete permission but not insert nor update. As I told previously in private to Bruce, I won't be able to make this patch for 7.0 until a week or two, so if someone do it before (please do, because you better know postgresql code than me, so you'll make less mistakes), just tell me because I don't really want to duplicate the effort. bye, PS: could someone explain me what "tricky" means ? Jerome ALET - alet@unice.fr - http://cortex.unice.fr/~jerome Faculte de Medecine de Nice - http://noe.unice.fr - Tel: 04 93 37 76 30 28 Avenue de Valombrose - 06107 NICE Cedex 2 - FRANCE On Sat, 4 Mar 2000, Peter Eisentraut wrote: > Bruce Momjian writes: > > > Looks very nice, but we can't apply it during beta. Only bug fixes, and > > this looks a little tricky. We can try it for 7.1. Maybe you can get > > us a 7.0 based patch. > > It was me that encouraged him to send in this patch now because Karel and > I are currently talking about redoing the ACL stuff for 7.1. > > I considered this a bug and the fix looks pretty straightforward. Perhaps > it should go into 7.0.1? > > -- > Peter Eisentraut Sernanders väg 10:115 > peter_e@gmx.net 75262 Uppsala > http://yi.org/peter-e/ Sweden >
pgsql-bugs by date: