Thread
-
Bug #746: Drop user damages security on tables
PostgreSQL Bugs List <pgsql-bugs@postgresql.org> — 2002-08-26T14:23:29Z
Mickey Parker (parkerm@hst.stoneridge.com) reports a bug with a severity of 1 The lower the number the more severe it is. Short Description Drop user damages security on tables Long Description A user was setup and had GRANT permissions on individual tables in a database. After the user was dropped, using the /z from psql command line showed the user ID still existing in the individual table permissions. After the drop, several other users then were unable to execute SELECT or INSERT on this table. These users would get a -601 error when trying to do a SELECT or INSERT. Also, trying to REVOKE permissions on the user ID that belonged to the dropped user resulted in a parse error. Sample Code No file was uploaded with this report
-
Re: Bug #746: Drop user damages security on tables
Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-26T14:42:36Z
pgsql-bugs@postgresql.org writes: > A user was setup and had GRANT permissions on individual tables in a database. After the user was dropped, using the /z from psql command line showed the user ID still existing in the individual table permissions. After the drop, several other users then were unable to execute SELECT or INSERT on this table. These users would get a -601 error when trying to do a SELECT or INSERT. Also, trying to REVOKE permissions on the user ID that belonged to the dropped user resulted in a parse error. What is a "-601 error"? There's surely no such message in Postgres. Also, "a parse error" is quite an unhelpful report. Show us the exact command you tried to issue. It's true that DROP USER doesn't do anything about removing ACL entries that reference that user, but there are no known problems resulting from that, so I'm suspicious that your report is entirely user error. Without seeing a reproducible test case it's difficult to do anything anyway. regards, tom lane
-
Re: Bug #746: Drop user damages security on tables
lockhart@fourpalms.org — 2002-08-27T00:58:09Z
> > A user was setup and had GRANT permissions on individual tables in a database. After the user was dropped, using the /z from psql command line showed the user ID still existing in the individual table permissions. After the drop, several other users then were unable to execute SELECT or INSERT on this table. These users would get a -601 error when trying to do a SELECT or INSERT. Also, trying to REVOKE permissions on the user ID that belonged to the dropped user resulted in a parse error. > What is a "-601 error"? There's surely no such message in Postgres. There surely is in ecpg: ecpgerrno.h:#define ECPG_WARNING_QUERY_IGNORED -601 These error codes are typically chosen to conform to SQL9x or to Oracle's conventions, though I haven't looked into this one in a while... - Thomas -
Re: Bug #746: Drop user damages security on tables
Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-27T06:04:21Z
Thomas Lockhart <lockhart@fourpalms.org> writes: >> What is a "-601 error"? There's surely no such message in Postgres. > There surely is in ecpg: > ecpgerrno.h:#define ECPG_WARNING_QUERY_IGNORED -601 Hmm ... maybe, but a query-ignored failure could only happen in the case of multiple commands wrapped in a transaction block. Which still leaves us needing more context than the complaint offered ... regards, tom lane