Josh Berkus <j...@agliodbs.com> writes: > The second, and bigger problem I can see is that this opens a whole new > set of security holes by allowing an end-run around the existing access > control structure with attackers can try to exploit.
Yeah. I'm very concerned about any scheme that invents additional sources of permissions that aren't visible in the object's own ACL list. Even if it's secure in its own terms, it'll blindside people and programs who are used to the existing ways of doing things. >From what I recall of prior discussions, there is rough consensus that the two types of facilities you mentioned (setting up default ACLs to be applied at creation of objects created later, and providing a way to change multiple objects' permissions with one GRANT) are desirable, though there is plenty of argument about the details. Neither of these result in creating any new sources of permissions --- a given object's ACL is still the whole truth. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers