On 29/09/15 11:20, Alex Peshkoff wrote:
> On 09/29/2015 01:11 PM, Paul Vinkenoog wrote:
>> Alex Peshkoff wrote:
>>
>>> Please look at this trivial sample.
>>>
>>> create table t (f int);
>>> grant select on t to public granted by abc;
>>> revoke all on all from abc;
>>>
>>> Currently privileges, granted by user ABC, remain as is after executing 
>>> mentioned revoke operator. This looks like a bug for me, but before fixing 
>>> (existing SQL operator behavior to be changed) I want to ask here - does 
>>> anybody see problems with removing rights, granted by user, in subj?
>> Why is this a bug? 'Revoke all on all from abc' means to take away all 
>> rights on any objects that were granted TO user ABC. IMO this should not 
>> imply that any privileges granted to other users/roles BY user ABC are also 
>> withdrawn.
> 
> If all rights were revoked from ABC, how can rights, granted by him, 
> remain in database?
> 
Nothing specific to Firebird, but if ABC is a supervisor who has left
the company, do you really want to mess up all the people who used to
work for him?

Or, rather more seriously, if ABC was the DBA, you can't leave him
there, it's a massive security risk, but if you deleted him as per your
rules, you'd end up with permissions of "everybody:none".

Cheers,
Wol


------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to