Re: [HACKERS] permission issue

Bruce Momjian <maillist@candle.pha.pa.us>

From: Bruce Momjian <maillist@candle.pha.pa.us>
To: vadim@sable.krasnoyarsk.su (Vadim B. Mikheev)
Cc: hackers@postgreSQL.org
Date: 1998-02-27T15:06:31Z
Lists: pgsql-hackers
> 
> Tables INS (x int) and SEL (y int) are owned by dbadm, for another
> user SELECT granted on SEL, INSERT - on INS.
> 
> Should another user be able to do
> 
> insert into ins select y from sel where x = y;

My guess is that the other user doesn't have SELECT permissions on
INS.y, so this should fail, no?

> 
> or not ? 
> Currently, PG allows this. Backend tries to check 
> (in execMain.c:ExecCheckPerms()) is READ access to
> table being changed granted to user or not, but this check
> seems to be quite stupid:
> 
>             qvars = pull_varnos(parseTree->qual);
>             tvars = pull_varnos((Node *) parseTree->targetList);
>             if (intMember(resultRelation, qvars) ||
>                 intMember(resultRelation, tvars))
> 
> : pull_varnos is very simple and just skips expressions in
> qual & target list.
> 
> We have to either get rid of this check or change it.
> 
> What do you think ?
> How "big boys" handle this ?
> 
> Vadim
> 
> 


-- 
Bruce Momjian                          |  830 Blythe Avenue
maillist@candle.pha.pa.us              |  Drexel Hill, Pennsylvania 19026
  +  If your life is a hard drive,     |  (610) 353-9879(w)
  +  Christ can be your backup.        |  (610) 853-3000(h)