Radoslaw Stachowiak writes:
> > The problem with this approach is that if you do "revoke all on database
> > from all" you have hosed your system. Text files allow recovery in these
> > situations.
>
> thats completly wrong :) look at the whole UNIX dir permissions topic.
> Using postgres super user, there is NO check on permission (or at least
> there should not be).
But, unlike in Unix, you don't know what user a connection wants to be
before you have done authentication (pg_hba.conf), nor do you know whether
a user is a superuser before querying the database.
We could probably get past the first problem by separating the
_authentication_ and _authorization_ modules, and we could get by the
second issue by doing the connection, checking, and then disconnecting,
but that exposes the database to possible attacks by unprivileged users,
so it has to be evaluated carefully.
--
Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/
