Thread: Postgres acl
I believe I found a bug. If a user other than the postgres superuser is given permission to create databases, then he should be able to destroy the databases he creates. Currently he can't, at least in version 6.2.1 complied for SunOS 5.5. Only the poostgres superuser can delete databases. If otherusers try they get the following error message: "WARN:pg_database: Permission denied. destroydb: database destroy failed on tmpdb." eventhough this user is the database admin for tmpdb as shown in the pd_database table.
> I believe I found a bug. If a user other than the postgres superuser is > given permission to create databases, then he should be able to destroy > the databases he creates. Currently he can't, at least in version 6.2.1 > complied for SunOS 5.5. Only the poostgres superuser can delete > databases. If otherusers try they get the following error message: > > "WARN:pg_database: Permission denied. > destroydb: database destroy failed on tmpdb." > > eventhough this user is the database admin for tmpdb as shown in the > pd_database table. At the moment, one requires "create users" privilege to destroy your own database, but only "create databases" privilege to create one. I think there is something about this on the ToDo list... - Tom
> > I believe I found a bug. If a user other than the postgres superuser is > given permission to create databases, then he should be able to destroy > the databases he creates. Currently he can't, at least in version 6.2.1 > complied for SunOS 5.5. Only the poostgres superuser can delete > databases. If otherusers try they get the following error message: > > "WARN:pg_database: Permission denied. > destroydb: database destroy failed on tmpdb." > > eventhough this user is the database admin for tmpdb as shown in the > pd_database table. > > Here is the fix. This bug has been around for a while: --------------------------------------------------------------------------- *** ./aclchk.c.orig Tue Jan 6 00:10:25 1998 --- ./aclchk.c Tue Jan 6 00:18:40 1998 *************** *** 410,416 **** * pg_database table, there is still additional permissions * checking in dbcommands.c */ ! if (mode & ACL_AP) return ACLCHECK_OK; } --- 410,416 ---- * pg_database table, there is still additional permissions * checking in dbcommands.c */ ! if ((mode & ACL_WR) || (mode & ACL_AP)) return ACLCHECK_OK; } -- Bruce Momjian maillist@candle.pha.pa.us