Re: [HACKERS] Postgres acl (fwd)

Bruce Momjian <maillist@candle.pha.pa.us>

From: Bruce Momjian <maillist@candle.pha.pa.us>
To: scrappy@hub.org (The Hermit Hacker)
Cc: kwitten@qdt.com, hackers@postgreSQL.org
Date: 1998-01-06T19:21:32Z
Lists: pgsql-hackers
> 
> On Tue, 6 Jan 1998, Bruce Momjian wrote:
> 
> > > 
> > > On Tue, 6 Jan 1998, Bruce Momjian wrote:
> > > 
> > > > Can someone who has permission to create databases be trusted not to
> > > > delete others?  If we say no, how do we make sure they can change
> > > > pg_database rows on only databases that they own?
> > > 
> > > 	deleting a database is accomplished using 'drop database', no?
> > > Can the code for that not be modified to see whether the person dropping
> > > the database is the person that owns it *or* pgsuperuser?
> > 
> > It already does the check, but issues an SQL from the C code to delete
> > from pg_database.  I believe any user who can create a database can
> > issue the same SQL command from psql, bypassing the drop database
> > checks, no?
> 
> 	Okay, I understand what you mean here...so I guess the next
> question is should system tables be directly modifyable by non-superuser?
> 
> 	For instance, we have a 'drop database' SQL command...can we
> restrict 'delete from pg_database' to just superuser, while leaving 'drop
> database' open to those with createdb privileges?  Same with 'create
> user', and, possible, a 'create group' command instead of 'insert into
> pg_group'?

Yes, we must replace the SQL commands in commands/dbcommands.c with
lower-level C table access routines so we do not have to go to the
executor, where the access permissions are checked.

-- 
Bruce Momjian
maillist@candle.pha.pa.us