Search Postgresql Archives

Re: [HACKERS] REFERENCES privilege should not be symmetric (was Re: Postgres Permissions Article)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 31, 2017 at 7:40 PM, Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
Robert Haas <robertmhaas@xxxxxxxxx> writes:
> On Fri, Mar 31, 2017 at 11:29 AM, Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
>> The argument for not back-patching a bug fix usually boils down to
>> fear of breaking existing applications, but it's hard to see how
>> removal of a permission check could break a working application ---
>> especially when the permission check is as hard to trigger as this one.
>> How many table owners ever revoke their own REFERENCES permission?

> Sure, but that argument cuts both ways.  If nobody ever does that, who
> will be helped by back-patching this?
> I certainly agree that back-patching this change is pretty low risk.
> I just don't think it has any real benefits.

I think the benefit is reduction of user confusion.  Admittedly, since
Paul is the first person I can remember ever having complained about it,
maybe nobody else is confused.

I think we also need to be extra careful about changing *security related* behavior in back branches, even more so than other behavior. In this case I think it's quite unlikely that it would hit somebody, but the risk is there. And people generally auto-upgrade to the latest minor releases, whereas they at least in theory read the top of the release notes when doing a major upgrade (ok, most people probably don't, but at least some do).

--

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux