Re: [HACKERS] Schema grants for creating and dropping objects
Marc Munro m...@bloodnok.com writes: It seems that in order to create an object in a given schema, I must have been granted create privilege on the schema. But in order to drop that object I require usage privilege. This means that with the right privilege settings I can create objects that I cannot subsequently drop, or can drop an object that I cannot recreate. Yeah. So? You can get similar effects with read-only or write-only directories in Unix filesystems. Don't see why you find this surprising. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Schema grants for creating and dropping objects
On Sun, 2011-10-09 at 11:58 -0400, Tom Lane wrote: Marc Munro m...@bloodnok.com writes: It seems that in order to create an object in a given schema, I must have been granted create privilege on the schema. But in order to drop that object I require usage privilege. This means that with the right privilege settings I can create objects that I cannot subsequently drop, or can drop an object that I cannot recreate. Yeah. So? You can get similar effects with read-only or write-only directories in Unix filesystems. Don't see why you find this surprising. It's just that ordinarily as the owner of an object, I can do what I like with it. In this case, I can't. In fact, once I've created the table I can't access it. I guess the surprising thing to me is that I'm allowed to create it without usage privilege. However, it is what it is, and as it is intended behaviour I will happily work with it. Perhaps some extra notes in the documentation of the sql-grants section might be useful. As a side note: creating a file in a write-only directory on Unix doesn't work for me. regards, tom lane Thanks for the response. __ Marc signature.asc Description: This is a digitally signed message part
[HACKERS] Schema grants for creating and dropping objects
It seems that in order to create an object in a given schema, I must have been granted create privilege on the schema. But in order to drop that object I require usage privilege. This means that with the right privilege settings I can create objects that I cannot subsequently drop, or can drop an object that I cannot recreate. I assume this is a bug but if it's intended behaviour I'd love to hear the rationale. I checked this on 8.3, 8.4, 9.0 and 9.1 all with the same results. Best regards. __ Marc signature.asc Description: This is a digitally signed message part