On 09/29/2015 01:38 PM, Wols Lists wrote:
> On 29/09/15 11:20, Alex Peshkoff wrote:
>> On 09/29/2015 01:11 PM, Paul Vinkenoog wrote:
>>> Alex Peshkoff wrote:
>>>
>>>> Please look at this trivial sample.
>>>>
>>>> create table t (f int);
>>>> grant select on t to public granted by abc;
>>>> revoke all on all from abc;
>>>>
>>>> Currently privileges, granted by user ABC, remain as is after executing 
>>>> mentioned revoke operator. This looks like a bug for me, but before fixing 
>>>> (existing SQL operator behavior to be changed) I want to ask here - does 
>>>> anybody see problems with removing rights, granted by user, in subj?
>>> Why is this a bug? 'Revoke all on all from abc' means to take away all 
>>> rights on any objects that were granted TO user ABC. IMO this should not 
>>> imply that any privileges granted to other users/roles BY user ABC are also 
>>> withdrawn.
>> If all rights were revoked from ABC, how can rights, granted by him,
>> remain in database?
>>
> Nothing specific to Firebird, but if ABC is a supervisor who has left
> the company, do you really want to mess up all the people who used to
> work for him?
>
> Or, rather more seriously, if ABC was the DBA, you can't leave him
> there, it's a massive security risk, but if you deleted him as per your
> rules, you'd end up with permissions of "everybody:none".

OK, I agree with such argument.
So what should be better done:
1. Keep it as is
2. Add an option to revoke granted by ABC rights too
?

------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to