Обсуждение: permission issue
Tables INS (x int) and SEL (y int) are owned by dbadm, for another user SELECT granted on SEL, INSERT - on INS. Should another user be able to do insert into ins select y from sel where x = y; or not ? Currently, PG allows this. Backend tries to check (in execMain.c:ExecCheckPerms()) is READ access to table being changed granted to user or not, but this check seems to be quite stupid: qvars = pull_varnos(parseTree->qual); tvars = pull_varnos((Node *) parseTree->targetList); if (intMember(resultRelation, qvars) || intMember(resultRelation, tvars)) : pull_varnos is very simple and just skips expressions in qual & target list. We have to either get rid of this check or change it. What do you think ? How "big boys" handle this ? Vadim
> > Tables INS (x int) and SEL (y int) are owned by dbadm, for another > user SELECT granted on SEL, INSERT - on INS. > > Should another user be able to do > > insert into ins select y from sel where x = y; My guess is that the other user doesn't have SELECT permissions on INS.y, so this should fail, no? > > or not ? > Currently, PG allows this. Backend tries to check > (in execMain.c:ExecCheckPerms()) is READ access to > table being changed granted to user or not, but this check > seems to be quite stupid: > > qvars = pull_varnos(parseTree->qual); > tvars = pull_varnos((Node *) parseTree->targetList); > if (intMember(resultRelation, qvars) || > intMember(resultRelation, tvars)) > > : pull_varnos is very simple and just skips expressions in > qual & target list. > > We have to either get rid of this check or change it. > > What do you think ? > How "big boys" handle this ? > > Vadim > > -- Bruce Momjian | 830 Blythe Avenue maillist@candle.pha.pa.us | Drexel Hill, Pennsylvania 19026 + If your life is a hard drive, | (610) 353-9879(w) + Christ can be your backup. | (610) 853-3000(h)
Vadim wrote: > > Tables INS (x int) and SEL (y int) are owned by dbadm, for another > user SELECT granted on SEL, INSERT - on INS. > > Should another user be able to do > > insert into ins select y from sel where x = y; > > or not ? > Currently, PG allows this. Backend tries to check > (in execMain.c:ExecCheckPerms()) is READ access to > table being changed granted to user or not, but this check > seems to be quite stupid: > > qvars = pull_varnos(parseTree->qual); > tvars = pull_varnos((Node *) parseTree->targetList); > if (intMember(resultRelation, qvars) || > intMember(resultRelation, tvars)) > > : pull_varnos is very simple and just skips expressions in > qual & target list. > > We have to either get rid of this check or change it. > > What do you think ? > How "big boys" handle this ? > > Vadim > > As I wrote we must change more on the permission checking than currently done. I plan to implement something like an effective user which is used instead of the current user in the checks and switch the effective user on function calls to the owner of the function (triggers are implemented as functions and thus also covered). And we need that effective user too for the checks in views instead of what we did now with skipAcl in the RTE. I'll keep the above words in mind when doing so. But first let's release 6.3. Jan -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #======================================== jwieck@debis.com (Jan Wieck) #