Re: Postgres Permissions Article
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Karsten Hilbert <Karsten.Hilbert@gmx.net>
Cc: pgsql-general@postgresql.org
Date: 2017-03-29T13:36:07Z
Lists: pgsql-hackers, pgsql-general
Karsten Hilbert <Karsten.Hilbert@gmx.net> writes: > On Tue, Mar 28, 2017 at 09:47:40AM -0700, Paul Jungwirth wrote: >> I wrote a blog post about the Postgres permissions system, and I thought I'd >> share: >> http://illuminatedcomputing.com/posts/2017/03/postgres-permissions/ > Not that I am an expert in any way but here's a thought on > why a permission on foreign key creation might be useful: > Being able to create foreign keys may allow to indirectly > discover whether certain values exists in a table which I > don't otherwise have access to (by means of failure or > success to create a judiciously crafted FK). Aside from that, an FK can easily be used to cause effective denial-of-service, for example preventing rows from being deleted within a table, or adding enormous overhead to such a deletion. regards, tom lane
Commits
-
For foreign keys, check REFERENCES privilege only on the referenced table.
- 64d4da511c01 10.0 landed