Re: DROP ROLE as SUPERUSER

Thu, 20 Feb 2025 08:52:41 -0800 

"David G. Johnston" <david.g.johns...@gmail.com> writes:
> On Thu, Feb 20, 2025 at 9:05 AM Tom Lane <t...@sss.pgh.pa.us> wrote:
>> It used to be that if a superuser issued GRANT/REVOKE, the operation
>> was silently done as the owner of the affected object.

> That is still the case according to the docs (REVOKE):

[ scratches head ... ]  I thought we had changed that, but nope I'm wrong:

regression=# create user alice;
CREATE ROLE
regression=# create user bob;
CREATE ROLE
regression=# \c - alice
You are now connected to database "regression" as user "alice".
regression=> create table alices_table (f1 int);
CREATE TABLE
regression=> grant select on alices_table to bob;
GRANT
regression=> \dp alices_table
                                  Access privileges
 Schema |     Name     | Type  |  Access privileges   | Column privileges | 
Policies 
--------+--------------+-------+----------------------+-------------------+----------
 public | alices_table | table | alice=arwdDxtm/alice+|                   | 
        |              |       | bob=r/alice          |                   | 
(1 row)

regression=> \c - postgres
You are now connected to database "regression" as user "postgres".
regression=# grant update on alices_table to bob;
GRANT
regression=# \dp alices_table
                                  Access privileges
 Schema |     Name     | Type  |  Access privileges   | Column privileges | 
Policies 
--------+--------------+-------+----------------------+-------------------+----------
 public | alices_table | table | alice=arwdDxtm/alice+|                   | 
        |              |       | bob=rw/alice         |                   | 
(1 row)

regression=# revoke update on alices_table from bob;
REVOKE
regression=# \dp alices_table
                                  Access privileges
 Schema |     Name     | Type  |  Access privileges   | Column privileges | 
Policies 
--------+--------------+-------+----------------------+-------------------+----------
 public | alices_table | table | alice=arwdDxtm/alice+|                   | 
        |              |       | bob=r/alice          |                   | 
(1 row)

regression=# revoke select on alices_table from bob;
REVOKE
regression=# \dp alices_table
                                  Access privileges
 Schema |     Name     | Type  |  Access privileges   | Column privileges | 
Policies 
--------+--------------+-------+----------------------+-------------------+----------
 public | alices_table | table | alice=arwdDxtm/alice |                   | 
(1 row)

So grants and revokes are still being done as the object owner by
default.

Now I'm unclear on exactly what was happening in Dominique's case.
Was the problematic permission granted by somebody other than the
database's owner?

                        regards, tom lane

Reply via email to