public inbox for pgsql-sql@postgresql.org
help / color / mirror / Atom feedFrom: David G. Johnston <david.g.johnston@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Ing. Marijo Kristo <marijo.kristo@icloud.com>
Cc: PostgreSQL Bug List <pgsql-bugs@lists.postgresql.org>
Subject: Re: Re: Re: Revoke Connect Privilege from Database not working
Date: Mon, 7 Apr 2025 09:22:45 -0700
Message-ID: <CAKFQuwbpC5w6sUq8gZQATrviZUT4bYpxW+=2uH6sWWMg7fWjzg@mail.gmail.com> (raw)
In-Reply-To: <3467676.1744041977@sss.pgh.pa.us>
References: <CAKFQuwa7m2smqqpgPetw=i8Aj-xqg9Zjc5Z2aX3AUwNh96WnXw@mail.gmail.com>
<d9bf666c-4d11-4196-99a8-b71d01d9ad40@me.com>
<CAKFQuwbB-ZKtN_p_y5sWa2MrTuy5=pRNPWSj1Ud4HHvTuhb54w@mail.gmail.com>
<3467676.1744041977@sss.pgh.pa.us>
On Mon, Apr 7, 2025 at 9:06 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> "David G. Johnston" <david.g.johnston@gmail.com> writes:
> > On master, confirmed that after this command the privilege:
> > test_user=c/test_admin (on database testdb) still exists. That seems
> like
> > a bug. Its at least a POLA violation and I cannot figure out how to read
> > the revoke reference page in a way that explains it.
>
> I believe what's going on there is explained by the rule that
> "grants and revokes done by a superuser are done as if issued
> by the object owner". So here, what would be revoked is
> test_user=c/postgres, which isn't the privilege at issue.
> Include GRANTED BY in the REVOKE to override the default
> choice of grantor.
>
The command in question did include "granted by" which is why this is a
bug. The explicit granted by specification is being ignored if the
invoking user is a superuser.
revoke connect on database testdb:v
from test_user:v
---------------
granted by test_admin:v;
---^^^^^^^^^
So if we stick with status quo behavior we'd need to write the following
because the ignoring part is a POLA violation:
If a superuser chooses to issue a GRANT or REVOKE command, the command is
performed as though it were issued by the owner of the affected object, and
the granted by clause is ignored.
David J.
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: pgsql-sql@postgresql.org
Cc: david.g.johnston@gmail.com, tgl@sss.pgh.pa.us, marijo.kristo@icloud.com, pgsql-bugs@lists.postgresql.org
Subject: Re: Re: Re: Re: Revoke Connect Privilege from Database not working
In-Reply-To: <CAKFQuwbpC5w6sUq8gZQATrviZUT4bYpxW+=2uH6sWWMg7fWjzg@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox