Thread

  1. Re: [HACKERS] Postgres acl (fwd)

    Kevin Witten <kwitten@qdt.com> — 1998-01-06T18:01:03Z

    Bruce Momjian wrote:
    > 
    > Forwarded message:
    > > > I believe I found a bug. If a user other than the postgres superuser is
    > > > given permission to create databases, then he should be able to destroy
    > > > the databases he creates. Currently he can't, at least in version 6.2.1
    > > > complied for SunOS 5.5. Only the poostgres superuser can delete
    > > > databases. If otherusers try they get the following error message:
    > > >
    > > > "WARN:pg_database: Permission denied.
    > > > destroydb: database destroy failed on tmpdb."
    > > >
    > > > eventhough this user is the database admin for tmpdb as shown in the
    > > > pd_database table.
    > > >
    > > >
    > >
    > > Here is the fix.  This bug has been around for a while:
    > >
    > > ---------------------------------------------------------------------------
    > >
    > > *** ./aclchk.c.orig   Tue Jan  6 00:10:25 1998
    > > --- ./aclchk.c        Tue Jan  6 00:18:40 1998
    > > ***************
    > > *** 410,416 ****
    > >                * pg_database table, there is still additional permissions
    > >                * checking in dbcommands.c
    > >                */
    > > !             if (mode & ACL_AP)
    > >                       return ACLCHECK_OK;
    > >       }
    > >
    > > --- 410,416 ----
    > >                * pg_database table, there is still additional permissions
    > >                * checking in dbcommands.c
    > >                */
    > > !             if ((mode & ACL_WR) || (mode & ACL_AP))
    > >                       return ACLCHECK_OK;
    > >       }
    > 
    > I am now thinking about this patch, and I don't think I like it.  The
    > original code allowed APPEND-only for users who can create databases,
    > but no DELETE.  The patch gives them DELETE permission, so they can
    > destroy their database, but they could issue the command:
    > 
    >         select from pg_database
    > 
    > and destroy everyone's.  'drop database' does checkes, but the acl check
    > is done in the executor, and it doesn't know if the the checks have been
    > performed or not.
    > 
    > Can someone who has permission to create databases be trusted not to
    > delete others?  If we say no, how do we make sure they can change
    > pg_database rows on only databases that they own?
    > 
    > --
    > Bruce Momjian
    > maillist@candle.pha.pa.us
    
    
    Can't you check to see if they own the database before you let them
    delete the row in pg_database. If a row is deleted from pg_database, it
    is disallowed unless the userid is the same as the datdba field in that
    row?