Postgres Pro
Downloads
Home   >   mailing lists

Re: Bogus permissions display in 7.4 - Mailing list pgsql-hackers

From Fabien COELHO
Subject Re: Bogus permissions display in 7.4
Date
Msg-id Pine.LNX.4.58.0405171707410.19985@sablons.cri.ensmp.fr
Whole thread Raw
In response to Re: Bogus permissions display in 7.4  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Tree view 
Dear Tom,

> > (2) Although I subscribe your first 3 points, I do not like the 4th point.
>
> I didn't either.  After working on it some more, what I want to do now
> is keep the ACL representation the same as it is, but implicitly assume
> that the owner has all grant options whether the ACL says so or not.

Mmmm... So you still want to stick to "exceptionnal" rights that are
managed somewhere explicitely in the backend code. I would much prefer
something explicit in the acl, because it would make the path to roles
easier, and I'm a little bit interested in this path.

What I was "implicitely" suggesting thru questions in my mail was an
approach where:

(0) all rights are always explicit, null means "no rights".   So the algorithm to check accesses would be:
   - if (it is a super-user) access granted;     else interpret explicitly ACL;
   Otherwise you have everywhere:
   - if (it is a super-user) access granted;     elsif (it is the owner and we just need grant options) access granted;
   else interpret acl explicitly;
 
   As I've pointed out with some bug reports, the current middle section   is quite buggy at the time, and I think I've
foundanother one not yet   reported bugs in this area.
 
   As we're dealing with security, the simpler the better. Having   implicit things just make the code harder to
understandand check   because there is always a special case, and looking at the acl   from userland needs some
interpretationof things that are not there.
 

(1) "grant option" rights are given at creation time explicitly, maybe   with your special user 0. They could then be
revokedby the owner.
 

(2) if they are revoked, they could be given back but only by the   super user, with something like:
   GRANT ALL ON ... TO calvin WITH GRANT OPTIONS FROM GRANTOR _SYSTEM;

It is a point that the super user should be able to create and
manage all rights, including explicit grantors.

So only the superuser is special in this approach, and owners are
only managed especially when creating an object, but not after.

This should make the actual code simpler and more explicit, so I feel that
it would less likely be buggy, and adding roles after that would be more
straightforward.

Well, all this is just my little opinion, and I'm not the one coding.

Have a nice day,

-- 
Fabien Coelho - coelho@cri.ensmp.fr

pgsql-hackers by date:

Previous
From: Steve Atkins
Date:
Subject: Re: Email data type
Next
From: "Bort, Paul"
Date:
Subject: Re: Email data type