Participants
Tom Lane
Tom Lane
Bruce Momjian
Bruce Momjian
Noname
Noname
Attachments

No attachments in this thread

Thread Outline
#1NonameNoname
Jan 03, 2002
#2Tom LaneTom Laneto Noname (#1)
Jan 03, 2002
#3Bruce MomjianBruce Momjianto Tom Lane (#2)
Jan 03, 2002
#4Tom LaneTom Laneto Bruce Momjian (#3)
Jan 03, 2002
#5Bruce MomjianBruce Momjianto Tom Lane (#4)
Jan 03, 2002

Bug #549: select table privilege in postgres allows user to create index on the table

Started by Nonameabout 24 years ago5 messages
#1Noname
Noname
pgsql-bugs@postgresql.org

Shahid Mohammad Shamsi (mshamsi@dinmar.com) reports a bug with a severity of 2
The lower the number the more severe it is.

Short Description
select table privilege in postgres allows user to create index on the table

Long Description
I created a user and assigned select privilege on a table. The user can not insert any data or add a field to the table. But, the user can create indexes on the table despite having select only privileges. This becomes a serious problem if the user can create unique indexes.

Sample Code

No file was uploaded with this report

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Noname (#1)
Re: Bug #549: select table privilege in postgres allows user to create index on the table

pgsql-bugs@postgresql.org writes:

select table privilege in postgres allows user to create index on the table

Actually, it appears that CREATE INDEX has no permission check at all.

I agree this is a bug. Probably CREATE INDEX should require ownership
permission, the same as ALTER TABLE.

regards, tom lane

#3Bruce Momjian
Bruce Momjian
pgman@candle.pha.pa.us
In reply to: Tom Lane (#2)
Re: [HACKERS] Bug #549: select table privilege in postgres allows

Tom Lane wrote:

pgsql-bugs@postgresql.org writes:

select table privilege in postgres allows user to create index on the table

Actually, it appears that CREATE INDEX has no permission check at all.

I agree this is a bug. Probably CREATE INDEX should require ownership
permission, the same as ALTER TABLE.

Added to TODO:

* Allow only owner to create indexes

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
#4Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Bruce Momjian (#3)
Re: [HACKERS] Bug #549: select table privilege in postgres allows user to create index on the table

Bruce Momjian <pgman@candle.pha.pa.us> writes:

Added to TODO:
* Allow only owner to create indexes

I was going to just fix it now. Do you want to leave it for 7.3?

regards, tom lane

#5Bruce Momjian
Bruce Momjian
pgman@candle.pha.pa.us
In reply to: Tom Lane (#4)
Re: [HACKERS] Bug #549: select table privilege in postgres allows

Tom Lane wrote:

Bruce Momjian <pgman@candle.pha.pa.us> writes:

Added to TODO:
* Allow only owner to create indexes

I was going to just fix it now. Do you want to leave it for 7.3?

If you think it is safe, go ahead. I fixed some stuff last night. :-)

I will remove from TODO when I see the commit.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
← Back to Topics