Petr Jelinek wrote: > KaiGai Kohei napsal(a): >> I tried to check the default ACL behavior. >> >> It works for me fine, good, but ... >> >> postgres=> SELECT * INTO t3 FROM t1; >> SELECT >> postgres=> SELECT * FROM t3; >> a | b >> ---+----- >> 1 | aaa >> 2 | bbb >> (2 rows) >> >> postgres=> INSERT INTO t3 VALUES (3,'ccc'); >> ERROR: permission denied for relation t3 >> >> In this case, the new table t3 is created with the default ACL which does not >> allow to insert any values by the owner of the relation. >> >> SELECT INTO does not check ACL_INSERT on the newly created tables, because >> we had been able to assume the table owner always has privilege to insert >> values into the new table. >> So, OpenIntoRel() didn't check this obvious privilege. >> >> But the default ACL feature breaks this assumption. The table owner may not >> have privilege to insert values into new tables. >> So, it is necessary to put actual access controls on the OpenIntoRel(). >> > > That's strange behavior I agree. However I don't see how default ACLs > changed it in any way, owner could REVOKE his privileges before. > I don't think the default ACL feature should do something ad-hoc here.
Is there anything necessary more than adding permission checks to insert values into the new table? Thanks, -- KaiGai Kohei <kai...@kaigai.gr.jp> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
