Dear Tom, > > It seems that GRANT ALL ON SCHEMA does not properly > > check for grantor rights. > > What's happening is that pg_namespace_aclcheck() allows the operation > if you have GRANT OPTION for *any* of the rights to be granted. The > same problem exists for all object types.
I did not had time to go to the source code, but I thought it was likely to be a generic bug. > I am not sure whether we should refuse the operation or just narrow > the set of privileges to those that are grantable per GRANT OPTION. > Peter, any thoughts? I'm not Peter, but I have an answer anyway: the standard says it should be narrowed. ISO/IEC 9075-2:2003 (E) 12.3 <privileges> ... Syntax Rules 1) ALL PRIVILEGES is equivalent to the specification of all of the privileges on <object name> for which the <grantor> has grantable privilege descriptors. -- Fabien Coelho - [EMAIL PROTECTED] ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
