Participants
Tom Lane
Tom Lane
Noname
Noname
Peter Eisentraut
Peter Eisentraut
Attachments

No attachments in this thread

Thread Outline
#1NonameNoname
Oct 05, 2003
#2Tom LaneTom Laneto Noname (#1)
Oct 05, 2003
#3Peter EisentrautPeter Eisentrautto Tom Lane (#2)
Oct 06, 2003
#4Tom LaneTom Laneto Peter Eisentraut (#3)
Oct 06, 2003

pgsql-server/src/backend/catalog aclchk.c

Started by Nonameover 22 years ago4 messages
#1Noname
Noname
petere@svr1.postgresql.org

CVSROOT: /cvsroot
Module name: pgsql-server
Changes by: petere@svr1.postgresql.org 03/10/05 18:49:12

Modified files:
src/backend/catalog: aclchk.c

Log message:
When revoking privileges from the owner, don't revoke the grant options,
to avoid recursively revoking everything from everyone.

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Noname (#1)
Re: [COMMITTERS] pgsql-server/src/backend/catalog aclchk.c

petere@svr1.postgresql.org (Peter Eisentraut - PostgreSQL) writes:

When revoking privileges from the owner, don't revoke the grant options,
to avoid recursively revoking everything from everyone.

So an owner can never revoke his own grant options? That seems
reasonable offhand, and compatible with our previous notion that
the owner's ability to GRANT was inherent and nonrevocable.

But I wonder how this squares with the SQL spec...

regards, tom lane

#3Peter Eisentraut
Peter Eisentraut
peter_e@gmx.net
In reply to: Tom Lane (#2)
Re: [COMMITTERS] pgsql-server/src/backend/catalog aclchk.c

Tom Lane writes:

So an owner can never revoke his own grant options? That seems
reasonable offhand, and compatible with our previous notion that
the owner's ability to GRANT was inherent and nonrevocable.

But I wonder how this squares with the SQL spec...

The root of this problem is that revoking privileges from the owner
doesn't square with the SQL spec in the first place. Allowing having a
grant option without the privilege is not a state that's supported by the
SQL standard, but it just continues the practice we've always had. This
patch just takes care that the recursive revoke action is not invoked in
this case.

--
Peter Eisentraut peter_e@gmx.net

#4Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Peter Eisentraut (#3)
Re: [COMMITTERS] pgsql-server/src/backend/catalog aclchk.c

Peter Eisentraut <peter_e@gmx.net> writes:

Tom Lane writes:

But I wonder how this squares with the SQL spec...

The root of this problem is that revoking privileges from the owner
doesn't square with the SQL spec in the first place. Allowing having a
grant option without the privilege is not a state that's supported by the
SQL standard, but it just continues the practice we've always had.

[ digs in spec for awhile ] Okay, I think I see. The SQL92 spec
defines an owner's privileges (both plain and grant-option) as being
granted to him by the magic wizard role _SYSTEM. Since the owner isn't
_SYSTEM, he can't revoke any of his own privileges.

We've always allowed an owner to revoke his own ordinary privileges,
and this seems to be useful and problem-free even if the SQL spec's
worldview doesn't allow it. But we haven't allowed an owner to revoke
his own grant-option privileges, and since SQL92 doesn't either, there
is no reason we shouldn't backpedal at the first sign of trouble with
that feature.

Do any comparable issues arise for other users who've been granted
rights by the owner? Offhand I don't see any, but...

regards, tom lane

← Back to Topics