Participants
hubert depesz lubaczewski
hubert depesz lubaczewski
Tom Lane
Tom Lane
Sean Chittenden
Sean Chittenden
Attachments
Show all attachments
Thread Outline
#1hubert depesz lubaczewskihubert depesz lubaczewski
Jan 09, 2003
#2Tom LaneTom Laneto hubert depesz lubaczewski (#1)
Jan 09, 2003
#3hubert depesz lubaczewskihubert depesz lubaczewskito Tom Lane (#2)
Jan 09, 2003
#4Sean ChittendenSean Chittendento hubert depesz lubaczewski (#3)
Jan 10, 2003

dropping user doesn't erase his rights.

Started by hubert depesz lubaczewskiover 23 years ago4 messagesbugs
Jump to latest
#1hubert depesz lubaczewski
hubert depesz lubaczewski
depesz@depesz.pl

Versions tested:
7.4devel from cvs and 7.2.x (i'm not sure about x since the test was
done by somebody else).

Description:
When dropping user his rights stay in database creating possible
security breach.

Sample Code:
create table xxx (...);
create user test;
grant select on xxx to test;
select relacl from pg_class where relname='czasy';
drop user test;
select relacl from pg_class where relname='czasy';

right now it's not even possible to revoke this rights:
# revoke all on xxx from test;
ERROR: user "test" does not exist
[[local]:5432] [depesz@depesz]
# revoke all on xxx from 102;
ERROR: parser: syntax error at or near "102" at character 24

I belive drop user should automatically drop all user privileges, and
even if not there should be simple syntax to drop all user privileges
from all objects in database (dropping all privileges "by hand" might be
major pain when dealing with > 100 tables with several hundreds of
views, procedures and so on.

depesz

--
hubert depesz lubaczewski http://www.depesz.pl/

wynajmę mieszkanie - 60 metrów, 3 pokoje, piastów - od lutego (po <

-=> remoncie) interesuje cię - napisz: depesz@depesz.pl <=-

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: hubert depesz lubaczewski (#1)
Re: dropping user doesn't erase his rights.

Hubert depesz Lubaczewski <depesz@depesz.pl> writes:

I belive drop user should automatically drop all user privileges

Difficult to do, when those privileges might be recorded in databases
you're not even connected to at the time of the drop.

regards, tom lane

#3hubert depesz lubaczewski
hubert depesz lubaczewski
depesz@depesz.pl
In reply to: Tom Lane (#2)
Re: dropping user doesn't erase his rights.

On Thu, Jan 09, 2003 at 11:21:56AM -0500, Tom Lane wrote:

Difficult to do, when those privileges might be recorded in databases
you're not even connected to at the time of the drop.

I belive it would be pretty difficult, but leaving it "just like that"
creates ssecurity breach (imagine someone droping user, beliving that
everytinh is o.k.), than someone else creates different user but with
keeping unused sysid (this might be the case with system users and
keeping system user-id with database user-id the same) - which happens
to be "not unused". i'm not sure if i'm clear about it.

depesz

--
hubert depesz lubaczewski http://www.depesz.pl/

wynajmę mieszkanie - 60 metrów, 3 pokoje, piastów - od lutego (po <

-=> remoncie) interesuje cię - napisz: depesz@depesz.pl <=-

#4Sean Chittenden
Sean Chittenden
sean@chittenden.org
In reply to: hubert depesz lubaczewski (#3)
Re: dropping user doesn't erase his rights.

Difficult to do, when those privileges might be recorded in
databases you're not even connected to at the time of the drop.

I belive it would be pretty difficult, but leaving it "just like
that" creates ssecurity breach (imagine someone droping user,
beliving that everytinh is o.k.), than someone else creates
different user but with keeping unused sysid (this might be the case
with system users and keeping system user-id with database user-id
the same) - which happens to be "not unused". i'm not sure if i'm
clear about it.

Wouldn't an ON DELETE trigger on the system catalogs work? I'd think
it would be possible to select the tables and groups that a user had
privs to and iterate through each calling REVOKE. -sc

--
Sean Chittenden

← Back to Topics