The lack of a permissions check for creating a child table means that in current sources, any user can inject data of his choosing into another user's tables. Example: User A: regression=> create table foo (f1 text); CREATE regression=> insert into foo values ('good data'); INSERT 271570 1 User B: regression=> create table foohack () inherits (foo); CREATE regression=> insert into foohack values ('you have been hacked!'); INSERT 271598 1 Now User A sees: regression=> select * from foo; f1 ----------------------- good data you have been hacked! (2 rows) User A can only avoid this trap by being very careful to specify ONLY in every query. If he *intends* to use foo as an inheritance tree master, then that cure doesn't work either. Just to add insult to injury, user A is now unable to drop table foo. He'll also get permission failures from commands like "UPDATE foo ..." I suppose a proper fix would involve adding a new permission type "can make child tables", but I don't want to mess with that at the moment. For 7.1, I propose that we only allow creation of child tables to the owner of the parent table. Comments? regards, tom lane PS: another interesting problem: create a temp table, then create a non-temp table that inherits from it. Unhappiness ensues when you end your session. Need to prohibit this combination, I think.