Thread: revoke all from public ?

revoke all from public ?

From
Henk van Lingen
Date:
Hi,

I can't revoke things from 'public'. Do I misunderstand
something or is there a bug?:

henkvl=# create table pipo (field text);
CREATE
henkvl=# grant all on pipo to henkvl;
CHANGE
henkvl=# grant all on pipo to jack;
CHANGE
henkvl=# \z pipo
          Access permissions for database "henkvl"
 Relation |               Access permissions
----------+-------------------------------------------------
 pipo     | {"=","postgres=arwR","henkvl=arwR","jack=arwR"}
(1 row)

henkvl=# revoke all on pipo from public;
CHANGE
henkvl=# \z pipo
          Access permissions for database "henkvl"
 Relation |               Access permissions
----------+-------------------------------------------------
 pipo     | {"=","postgres=arwR","henkvl=arwR","jack=arwR"}
(1 row)

If I revoke from individual users there are no probs.


atlas:/root-# rpm -qf `which postgres`
postgresql-server-7.1.2-4PGDG
atlas:/root-# rpm -qf `which psql`
postgresql-7.1.2-4PGDG

Searching in the archives I found that Tom Lane fixed a prob like this
one year ago? But 7.1.2 is not that old...

Regards,
--
Henk van Lingen, Systems & Network Administrator              (o-      -+
Dept. of Computer Science, Utrecht University.                /\        |
phone: +31-30-2535278                                        v_/_
http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/

Re: revoke all from public ?

From
Tom Lane
Date:
Henk van Lingen <henkvl@cs.uu.nl> writes:
> I can't revoke things from 'public'. Do I misunderstand
> something or is there a bug?:

Looks fine to me.  Public didn't have any privileges to begin with,
so "revoke all from public" is a no-op in your example.

            regards, tom lane

Re: revoke all from public ?

From
Henk van Lingen
Date:
On Mon, Nov 19, 2001 at 11:02:32AM -0500, Tom Lane wrote:
  : Henk van Lingen <henkvl@cs.uu.nl> writes:
  : > I can't revoke things from 'public'. Do I misunderstand
  : > something or is there a bug?:
  :
  : Looks fine to me.  Public didn't have any privileges to begin with,
  : so "revoke all from public" is a no-op in your example.

  Aha, i understand 'public' refers only to the ' "=" ' part.
  Isn't ...../postgresql/doc/html/sql-revoke.html a bit misguiding
  saying:

   PUBLIC

      Rescind the specified privilege(s) for all users.

  Anyways, thanx, i'll look for another way to revoke all permissions.

--
Henk van Lingen, Systems & Network Administrator              (o-      -+
Dept. of Computer Science, Utrecht University.                /\        |
phone: +31-30-2535278                                        v_/_
http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/

Re: revoke all from public ?

From
Tom Lane
Date:
Henk van Lingen <henkvl@cs.uu.nl> writes:
>   Isn't ...../postgresql/doc/html/sql-revoke.html a bit misguiding
>   saying:
>    PUBLIC
>       Rescind the specified privilege(s) for all users.

You're right, that's easily misread.  I've added some wording to try
to clarify:

  <para>
   <command>REVOKE</command> allows the creator of an object to revoke
   previously granted permissions from one or more users or groups of users.
   The key word <literal>PUBLIC</literal> refers to the implicitly defined
   group of all users.
  </para>

  <para>
   Note that any particular user will have the sum
   of privileges granted directly to him, privileges granted to any group he
   is presently a member of, and privileges granted to
   <literal>PUBLIC</literal>.  Thus, for example, revoking SELECT privilege
   from <literal>PUBLIC</literal> does not necessarily mean that all users
   have lost SELECT privilege on the object: those who have it granted
   directly or via a group will still have it.
  </para>

>   Anyways, thanx, i'll look for another way to revoke all permissions.

I'm afraid you have to do it retail: if you GRANTed anything to user
joe, you have to REVOKE FROM joe.  There's no easy shortcut.

Well ... hmm ... it would probably work to do
    UPDATE pg_class SET relacl = NULL WHERE relname = 'mytable';
which should revert the permissions on mytable to the default state.
Pretty ugly though, and not guaranteed to work the same in future releases.

            regards, tom lane