Question on TRUNCATE privleges

"Keith Worthington" <keithw@narrowpathinc.com> writes:

I have just discovered that I can speed up one of my functions by a factor of
600 by changing an unqualified DELETE to a TRUNCATE. Unfortunately, the
function is run by multiple users and I get the error message
"TESTDB=> TRUNCATE inventory.tbl_item;
ERROR: must be owner of relation tbl_item

There is nothing in the documentation
(http://www.postgresql.org/docs/8.0/interactive/sql-truncate.html) about this
restriction ( You see Michael I am still reading the documentation. ;-) ) Do
I get to post my first user comment on the documentation pages? Do I? Hunh?
Can I? :-)

Yup ;-)

Is there a way to have multiple owners of a table or otherwise achive this
behavior?

I'm not entirely sure that requiring ownership of the table is the
appropriate restriction for TRUNCATE. It made some sense back when
TRUNCATE wasn't transaction-safe, but now that it is, you could almost
argue that ordinary DELETE privilege should allow TRUNCATE.

Almost. The hole in the argument is that TRUNCATE doesn't run ON DELETE
triggers and so it could possibly be used to bypass things the table
owner wants to have happen. You could equate TRUNCATE to DROP TRIGGER(s),
DELETE, CREATE TRIGGER(s) ... but DROP TRIGGER requires ownership.

CREATE TRIGGER only requires TRIGGER privilege which is grantable.
So one answer is to change DROP TRIGGER to require TRIGGER privilege
(which would mean user A could remove a trigger installed by user B,
if both have TRIGGER privileges on the table) and then say you can
TRUNCATE if you have both DELETE and TRIGGER privileges.

It looks to me like the asymmetry between CREATE TRIGGER and DROP
TRIGGER is actually required by SQL99, though, so changing it would
be a hard sell (unless SQL2003 fixes it?).

Comments anyone?

regards, tom lane

The author doesn't mention why he got a 600x increase- perhaps he
bypassed the delete triggers which was OK for his situation. I don't
like the notion that an optimization requires additional
privileges...why not detect an unqualified delete and call truncate
instead IFF there are no delete triggers on the table?

On Tue, 2005-02-22 at 14:00, Tom Lane wrote:

"Keith Worthington" <keithw@narrowpathinc.com> writes:

I have just discovered that I can speed up one of my functions by a factor of
600 by changing an unqualified DELETE to a TRUNCATE. Unfortunately, the
function is run by multiple users and I get the error message
"TESTDB=> TRUNCATE inventory.tbl_item;
ERROR: must be owner of relation tbl_item

There is nothing in the documentation
(http://www.postgresql.org/docs/8.0/interactive/sql-truncate.html) about this
restriction ( You see Michael I am still reading the documentation. ;-) ) Do
I get to post my first user comment on the documentation pages? Do I? Hunh?
Can I? :-)

Yup ;-)

Is there a way to have multiple owners of a table or otherwise achive this
behavior?

I'm not entirely sure that requiring ownership of the table is the
appropriate restriction for TRUNCATE. It made some sense back when
TRUNCATE wasn't transaction-safe, but now that it is, you could almost
argue that ordinary DELETE privilege should allow TRUNCATE.

Almost. The hole in the argument is that TRUNCATE doesn't run ON DELETE
triggers and so it could possibly be used to bypass things the table
owner wants to have happen. You could equate TRUNCATE to DROP TRIGGER(s),
DELETE, CREATE TRIGGER(s) ... but DROP TRIGGER requires ownership.

CREATE TRIGGER only requires TRIGGER privilege which is grantable.
So one answer is to change DROP TRIGGER to require TRIGGER privilege
(which would mean user A could remove a trigger installed by user B,
if both have TRIGGER privileges on the table) and then say you can
TRUNCATE if you have both DELETE and TRIGGER privileges.

It looks to me like the asymmetry between CREATE TRIGGER and DROP
TRIGGER is actually required by SQL99, though, so changing it would
be a hard sell (unless SQL2003 fixes it?).

Comments anyone?

Isn't this a case for a SECURITY DEFINER function?

Robert Treat
--
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL

Tom Lane wrote:

"Keith Worthington" <keithw@narrowpathinc.com> writes:

I have just discovered that I can speed up one of my functions by a factor of
600 by changing an unqualified DELETE to a TRUNCATE. Unfortunately, the
function is run by multiple users and I get the error message
"TESTDB=> TRUNCATE inventory.tbl_item;
ERROR: must be owner of relation tbl_item

There is nothing in the documentation
(http://www.postgresql.org/docs/8.0/interactive/sql-truncate.html) about this
restriction ( You see Michael I am still reading the documentation. ;-) ) Do
I get to post my first user comment on the documentation pages? Do I? Hunh?
Can I? :-)

Yup ;-)

Is there a way to have multiple owners of a table or otherwise achive this
behavior?

I'm not entirely sure that requiring ownership of the table is the
appropriate restriction for TRUNCATE. It made some sense back when
TRUNCATE wasn't transaction-safe, but now that it is, you could almost
argue that ordinary DELETE privilege should allow TRUNCATE.

Almost. The hole in the argument is that TRUNCATE doesn't run ON DELETE
triggers and so it could possibly be used to bypass things the table
owner wants to have happen. You could equate TRUNCATE to DROP TRIGGER(s),
DELETE, CREATE TRIGGER(s) ... but DROP TRIGGER requires ownership.

CREATE TRIGGER only requires TRIGGER privilege which is grantable.
So one answer is to change DROP TRIGGER to require TRIGGER privilege
(which would mean user A could remove a trigger installed by user B,
if both have TRIGGER privileges on the table) and then say you can
TRUNCATE if you have both DELETE and TRIGGER privileges.

It looks to me like the asymmetry between CREATE TRIGGER and DROP
TRIGGER is actually required by SQL99, though, so changing it would
be a hard sell (unless SQL2003 fixes it?).

Comments anyone?

Why not say that TRUNCATE requires the same privilige as a DELETE and
add a trigger type that fires (once) on a TRUNCATE? That would give an
owner a chance to prevent it. Such a trigger would probably be useful
for other things too.

Regards,
Thomas Hallgren

Tom Lane wrote:

"Keith Worthington" <keithw@narrowpathinc.com> writes:

I have just discovered that I can speed up one of my functions by a factor of
600 by changing an unqualified DELETE to a TRUNCATE. Unfortunately, the
function is run by multiple users and I get the error message
"TESTDB=> TRUNCATE inventory.tbl_item;
ERROR: must be owner of relation tbl_item

There is nothing in the documentation
(http://www.postgresql.org/docs/8.0/interactive/sql-truncate.html) about this
restriction ( You see Michael I am still reading the documentation. ;-) ) Do
I get to post my first user comment on the documentation pages? Do I? Hunh?
Can I? :-)

Yup ;-)

Is there a way to have multiple owners of a table or otherwise achive this
behavior?

I'm not entirely sure that requiring ownership of the table is the
appropriate restriction for TRUNCATE. It made some sense back when
TRUNCATE wasn't transaction-safe, but now that it is, you could almost
argue that ordinary DELETE privilege should allow TRUNCATE.

Almost. The hole in the argument is that TRUNCATE doesn't run ON DELETE
triggers and so it could possibly be used to bypass things the table
owner wants to have happen. You could equate TRUNCATE to DROP TRIGGER(s),
DELETE, CREATE TRIGGER(s) ... but DROP TRIGGER requires ownership.

CREATE TRIGGER only requires TRIGGER privilege which is grantable.
So one answer is to change DROP TRIGGER to require TRIGGER privilege
(which would mean user A could remove a trigger installed by user B,
if both have TRIGGER privileges on the table) and then say you can
TRUNCATE if you have both DELETE and TRIGGER privileges.

It looks to me like the asymmetry between CREATE TRIGGER and DROP
TRIGGER is actually required by SQL99, though, so changing it would
be a hard sell (unless SQL2003 fixes it?).

Comments anyone?

Why not say that TRUNCATE requires the same privilige as a DELETE and
add a trigger type that fires (once) on a TRUNCATE? That would give an
owner a chance to prevent it. Such a trigger would probably be useful
for other things too.

Regards,
Thomas Hallgren

Thomas Hallgren wrote:

It looks to me like the asymmetry between CREATE TRIGGER and DROP
TRIGGER is actually required by SQL99, though, so changing it would
be a hard sell (unless SQL2003 fixes it?).

Comments anyone?

Why not say that TRUNCATE requires the same privilige as a DELETE and
add a trigger type that fires (once) on a TRUNCATE? That would give an
owner a chance to prevent it. Such a trigger would probably be useful
for other things too.

Uh, that seems like it adds extra complexity just for this single case.

Why don't we allow TRUNCATE by non-owners only if no triggers are
defined, and if they are defined, we throw an error and mention it is
because triggers/contraints exist?

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Bruce Momjian <pgman@candle.pha.pa.us> writes:

Uh, that seems like it adds extra complexity just for this single case.

Yeah. I've dropped the idea personally -- the suggestion that the table
owner can provide a SECURITY DEFINER procedure to do the TRUNCATE if he
wants to allow others to do it seems to me to cover the problem.

Why don't we allow TRUNCATE by non-owners only if no triggers are
defined, and if they are defined, we throw an error and mention it is
because triggers/contraints exist?

I don't think we should put weird special cases in the rights checking
to allow this -- that's usually a recipe for introducing unintended
security holes.

regards, tom lane

Tom Lane wrote:

Bruce Momjian <pgman@candle.pha.pa.us> writes:

Uh, that seems like it adds extra complexity just for this single case.

Yeah. I've dropped the idea personally -- the suggestion that the table
owner can provide a SECURITY DEFINER procedure to do the TRUNCATE if he
wants to allow others to do it seems to me to cover the problem.

Why don't we allow TRUNCATE by non-owners only if no triggers are
defined, and if they are defined, we throw an error and mention it is
because triggers/contraints exist?

I don't think we should put weird special cases in the rights checking
to allow this -- that's usually a recipe for introducing unintended
security holes.

Yea, good point.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

On Thu, 24 Feb 2005 17:15:42 -0500, Tom Lane wrote

Bruce Momjian <pgman@candle.pha.pa.us> writes:

Uh, that seems like it adds extra complexity just for this single case.

Yeah. I've dropped the idea personally -- the suggestion that the table
owner can provide a SECURITY DEFINER procedure to do the TRUNCATE if
he wants to allow others to do it seems to me to cover the problem.

Could someone point me in the direction of documentation on this SECURITY
DEFINER feature?

Kind Regards,
Keith

"Keith Worthington" <keithw@narrowpathinc.com> writes:

On Thu, 24 Feb 2005 17:15:42 -0500, Tom Lane wrote

Yeah. I've dropped the idea personally -- the suggestion that the table
owner can provide a SECURITY DEFINER procedure to do the TRUNCATE if
he wants to allow others to do it seems to me to cover the problem.

Could someone point me in the direction of documentation on this SECURITY
DEFINER feature?

See CREATE FUNCTION. Something like (untested)

create function truncate_my_table() returns void as
$$ truncate my_table $$ language sql security definer;

You'd probably then revoke the default public EXECUTE rights on this
function, and grant EXECUTE only to selected users.

regards, tom lane

hi all,

i have a question about booleans. i heard that a
boolean takes more processing power than setting an
integer as 1 or 0 and coding around those values. is
this really an issue anyone will notice?

also, i understand that db portablility is somewhat
compromised when one uses pg's boolean data type.

are these really issues or am i over analyzing here?

tia...

__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail

<operationsengineer1@yahoo.com> writes:

i have a question about booleans. i heard that a
boolean takes more processing power than setting an
integer as 1 or 0 and coding around those values.

Whoever told you that is completely clueless.

also, i understand that db portablility is somewhat
compromised when one uses pg's boolean data type.

It is true that there are still DBs that don't have the SQL standard
boolean type. IIRC that was added to the standard in SQL99. I think
this is likely to be the least of your portability concerns, however.

regards, tom lane