Re: Revoke Connect Privilege from Database not working

public inbox for pgsql-sql@postgresql.org  
help / color / mirror / Atom feed

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Nathan Bossart <nathandbossart@gmail.com>
Cc: Robert Haas <robertmhaas@gmail.com>
Cc: Peter Eisentraut <peter@eisentraut.org>
Cc: David G. Johnston <david.g.johnston@gmail.com>
Cc: Ing. Marijo Kristo <marijo.kristo@icloud.com>
Cc: PostgreSQL Bug List <pgsql-bugs@lists.postgresql.org>
Subject: Re: Revoke Connect Privilege from Database not working
Date: Wed, 21 Jan 2026 11:57:01 -0500
Message-ID: <2222571.1769014621@sss.pgh.pa.us> (raw)
In-Reply-To: <aXDwtbXCu42Fdmrn@nathan>
References: <CAKFQuwa7m2smqqpgPetw=i8Aj-xqg9Zjc5Z2aX3AUwNh96WnXw@mail.gmail.com>
	<d9bf666c-4d11-4196-99a8-b71d01d9ad40@me.com>
	<CAKFQuwbB-ZKtN_p_y5sWa2MrTuy5=pRNPWSj1Ud4HHvTuhb54w@mail.gmail.com>
	<3467676.1744041977@sss.pgh.pa.us>
	<CAKFQuwbpC5w6sUq8gZQATrviZUT4bYpxW+=2uH6sWWMg7fWjzg@mail.gmail.com>
	<aRYLkTpazxKhnS_w@nathan>
	<1933586.1768950341@sss.pgh.pa.us>
	<aXDwtbXCu42Fdmrn@nathan>

Nathan Bossart <nathandbossart@gmail.com> writes:
> Yeah, I think doing most of the work in select_best_grantor() is obviously
> better.  I recall wondering whether we should check for INHERIT or SET
> privilege (or both) on the grantor role, and IIRC I settled on INHERIT
> because select_best_grantor() searches through roles we have INHERIT on.

Yeah, I mentally had that point as something to check on.  Clearly,
if you have SET ROLE privilege then you can become the target role
and then issue the GRANT, so if we define GRANTED BY like that
then we're not allowing anything that can't be done today.  However,
it feels like INHERIT is a more natural test to make, since AIUI
that is what permits "automatic" use of a role's privileges, and that
seems to be what we'd be doing here.

I'd be interested to hear Robert's opinion on this, or somebody
else who worked on the SET/INHERIT splitup.

Also cc'ing Peter, who put in the current effectively-a-noise-clause
behavior of GRANTED BY, to see if he has standards-compliance or
other concerns about changing this.

> Would you like to handle docs/tests/committing, or shall I?

I'm willing to push it forward if we have consensus to do it.

			regards, tom lane

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: pgsql-sql@postgresql.org
  Cc: tgl@sss.pgh.pa.us, nathandbossart@gmail.com, robertmhaas@gmail.com, peter@eisentraut.org, david.g.johnston@gmail.com, marijo.kristo@icloud.com, pgsql-bugs@lists.postgresql.org
  Subject: Re: Revoke Connect Privilege from Database not working
  In-Reply-To: <2222571.1769014621@sss.pgh.pa.us>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox