Thread: Re: [COMMITTERS] pgsql-server/src/backend/catalog aclchk.c

Re: [COMMITTERS] pgsql-server/src/backend/catalog aclchk.c

From
Tom Lane
Date:
petere@svr1.postgresql.org (Peter Eisentraut - PostgreSQL) writes:
>     When revoking privileges from the owner, don't revoke the grant options,
>     to avoid recursively revoking everything from everyone.

So an owner can never revoke his own grant options?  That seems
reasonable offhand, and compatible with our previous notion that
the owner's ability to GRANT was inherent and nonrevocable.

But I wonder how this squares with the SQL spec...
        regards, tom lane


Re: [COMMITTERS] pgsql-server/src/backend/catalog aclchk.c

From
Peter Eisentraut
Date:
Tom Lane writes:

> So an owner can never revoke his own grant options?  That seems
> reasonable offhand, and compatible with our previous notion that
> the owner's ability to GRANT was inherent and nonrevocable.
>
> But I wonder how this squares with the SQL spec...

The root of this problem is that revoking privileges from the owner
doesn't square with the SQL spec in the first place.  Allowing having a
grant option without the privilege is not a state that's supported by the
SQL standard, but it just continues the practice we've always had.  This
patch just takes care that the recursive revoke action is not invoked in
this case.

-- 
Peter Eisentraut   peter_e@gmx.net



Re: [COMMITTERS] pgsql-server/src/backend/catalog aclchk.c

From
Tom Lane
Date:
Peter Eisentraut <peter_e@gmx.net> writes:
> Tom Lane writes:
>> But I wonder how this squares with the SQL spec...

> The root of this problem is that revoking privileges from the owner
> doesn't square with the SQL spec in the first place.  Allowing having a
> grant option without the privilege is not a state that's supported by the
> SQL standard, but it just continues the practice we've always had.

[ digs in spec for awhile ]  Okay, I think I see.  The SQL92 spec
defines an owner's privileges (both plain and grant-option) as being
granted to him by the magic wizard role _SYSTEM.  Since the owner isn't
_SYSTEM, he can't revoke any of his own privileges.

We've always allowed an owner to revoke his own ordinary privileges,
and this seems to be useful and problem-free even if the SQL spec's
worldview doesn't allow it.  But we haven't allowed an owner to revoke
his own grant-option privileges, and since SQL92 doesn't either, there
is no reason we shouldn't backpedal at the first sign of trouble with
that feature.

Do any comparable issues arise for other users who've been granted
rights by the owner?  Offhand I don't see any, but...
        regards, tom lane