Thread: Bug #549: select table privilege in postgres allows user to create index on the table

Bug #549: select table privilege in postgres allows user to create index on the table

From

pgsql-bugs@postgresql.org

Date:

03 January 2002, 14:15:10

Shahid Mohammad Shamsi (mshamsi@dinmar.com) reports a bug with a severity of 2
The lower the number the more severe it is.

Short Description
select table privilege  in postgres allows user to create index on the table

Long Description
I created a user and assigned select privilege on a table. The user can not insert any data or add a field to the
table.But, the user can create indexes on the table despite having select only privileges. This becomes a serious
problemif the user can create unique indexes. 


Sample Code


No file was uploaded with this report

Re: Bug #549: select table privilege in postgres allows user to create index on the table

From

Tom Lane

Date:

03 January 2002, 15:01:39

pgsql-bugs@postgresql.org writes:
> select table privilege  in postgres allows user to create index on the table

Actually, it appears that CREATE INDEX has no permission check at all.

I agree this is a bug.  Probably CREATE INDEX should require ownership
permission, the same as ALTER TABLE.
        regards, tom lane

Re: [HACKERS] Bug #549: select table privilege in postgres allows

From

Bruce Momjian

Date:

03 January 2002, 15:42:16

Tom Lane wrote:
> pgsql-bugs@postgresql.org writes:
> > select table privilege  in postgres allows user to create index on the table
> 
> Actually, it appears that CREATE INDEX has no permission check at all.
> 
> I agree this is a bug.  Probably CREATE INDEX should require ownership
> permission, the same as ALTER TABLE.

Added to TODO:
* Allow only owner to create indexes

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026

Re: [HACKERS] Bug #549: select table privilege in postgres allows user to create index on the table

From

Tom Lane

Date:

03 January 2002, 15:45:19

Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Added to TODO:
>     * Allow only owner to create indexes

I was going to just fix it now.  Do you want to leave it for 7.3?
        regards, tom lane

Re: [HACKERS] Bug #549: select table privilege in postgres allows

From

Bruce Momjian

Date:

03 January 2002, 15:51:18

Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Added to TODO:
> >     * Allow only owner to create indexes
> 
> I was going to just fix it now.  Do you want to leave it for 7.3?

If you think it is safe, go ahead.  I fixed some stuff last night.  :-)

I will remove from TODO when I see the commit.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026