Thread: Bug #549: select table privilege in postgres allows user to create index on the table
Bug #549: select table privilege in postgres allows user to create index on the table
From
pgsql-bugs@postgresql.org
Date:
Shahid Mohammad Shamsi (mshamsi@dinmar.com) reports a bug with a severity of 2 The lower the number the more severe it is. Short Description select table privilege in postgres allows user to create index on the table Long Description I created a user and assigned select privilege on a table. The user can not insert any data or add a field to the table.But, the user can create indexes on the table despite having select only privileges. This becomes a serious problemif the user can create unique indexes. Sample Code No file was uploaded with this report
Re: Bug #549: select table privilege in postgres allows user to create index on the table
From
Tom Lane
Date:
pgsql-bugs@postgresql.org writes: > select table privilege in postgres allows user to create index on the table Actually, it appears that CREATE INDEX has no permission check at all. I agree this is a bug. Probably CREATE INDEX should require ownership permission, the same as ALTER TABLE. regards, tom lane
Tom Lane wrote: > pgsql-bugs@postgresql.org writes: > > select table privilege in postgres allows user to create index on the table > > Actually, it appears that CREATE INDEX has no permission check at all. > > I agree this is a bug. Probably CREATE INDEX should require ownership > permission, the same as ALTER TABLE. Added to TODO: * Allow only owner to create indexes -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Re: [HACKERS] Bug #549: select table privilege in postgres allows user to create index on the table
From
Tom Lane
Date:
Bruce Momjian <pgman@candle.pha.pa.us> writes: > Added to TODO: > * Allow only owner to create indexes I was going to just fix it now. Do you want to leave it for 7.3? regards, tom lane
Tom Lane wrote: > Bruce Momjian <pgman@candle.pha.pa.us> writes: > > Added to TODO: > > * Allow only owner to create indexes > > I was going to just fix it now. Do you want to leave it for 7.3? If you think it is safe, go ahead. I fixed some stuff last night. :-) I will remove from TODO when I see the commit. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026