Hello all,
On Sun, Aug 31, 2008 at 11:55 PM, Ryan Bradetich <[EMAIL PROTECTED]>wrote:
>
> I do not believe this is a huge issue since truncate is prohibited on the
> system catalogs
> by the truncate_check_rel().
>
> template1=# truncate pg_authid;
> ERROR: permission denied: "pg_authid" is a system catalog
>
I thought about this some more. I believe my suggestion was incorrect.
Since truncate_check_rel() prevents the use of the truncate command on
system catalogs, the TRUNCATE permission should always be stripped
from the system catalogs.
Here is the inconsistency I observed:
template1=# \z pg_catalog.pg_authid
Access privileges
Schema | Name | Type | Access privileges
------------+-----------+-------+---------------------
pg_catalog | pg_authid | table | rbrad=arwdDxt/rbrad
(1 row)
template1=# select rolname, rolcatupdate from pg_authid;
rolname | rolcatupdate
---------+--------------
rbrad | t
(1 row)
template1=# select has_table_privilege('pg_authid', 'truncate');
has_table_privilege
---------------------
t
(1 row)
template1=# truncate pg_authid;
ERROR: permission denied: "pg_authid" is a system catalog
The TRUNCATE fails even though \z and has_table_privilege() said I had
permissions.
Compare with the DELETE privilege:
template1=# select has_table_privilege('pg_authid', 'delete');
has_table_privilege
---------------------
t
(1 row)
template1=# delete from pg_authid;
DELETE 1
Thanks,
- Ryan
