Received: from maia.hub.org (maia-3.hub.org [200.46.204.243])
	by mail.postgresql.org (Postfix) with ESMTP id 5A273B5DBC1
	for <pgsql-docs-postgresql.org@mail.postgresql.org>;
	Fri, 20 May 2011 14:24:35 -0300 (ADT)
Received: from mail.postgresql.org ([200.46.204.86])
	by maia.hub.org (mx1.hub.org [200.46.204.243]) (amavisd-maia,
	port 10024) with ESMTP id 49568-03 for
	<pgsql-docs-postgresql.org@mail.postgresql.org>;
	Fri, 20 May 2011 17:24:28 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from sd-17937.dedibox.fr (sd-17937.dedibox.fr [88.191.100.74])
	by mail.postgresql.org (Postfix) with ESMTP id 37D8AB5DBB6
	for <pgsql-docs@postgresql.org>; Fri, 20 May 2011 14:24:28 -0300 (ADT)
Received: from [192.168.10.3]
	(ASte-Genev-Bois-153-1-54-206.w81-249.abo.wanadoo.fr
	[81.249.148.206])
	by sd-17937.dedibox.fr (Postfix) with ESMTPA id 8F3223B8F5;
	Fri, 20 May 2011 19:24:27 +0200 (CEST)
Message-ID: <4DD6A3CA.3060302@lelarge.info>
Date: Fri, 20 May 2011 19:24:26 +0200
From: Guillaume Lelarge <guillaume@lelarge.info>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
MIME-Version: 1.0
To: Alvaro Herrera <alvherre@commandprompt.com>
CC: Derrick Rice <derrick.rice@gmail.com>,
	pgsql-docs <pgsql-docs@postgresql.org>
Subject: Re: DROP TABLE can be issued by schema owner as well as table
 owner
References: <BANLkTikpQfBj8EMwjwrA1kXOF1F8J4H6Hw@mail.gmail.com>
	<4DD69445.3070507@lelarge.info>
	<BANLkTimfjeEE-2EVnghk0HPynMNvMpMFmQ@mail.gmail.com>
	<1305910393-sup-7762@alvh.no-ip.org>
In-Reply-To: <1305910393-sup-7762@alvh.no-ip.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Spam-Status: No, hits=-1.9 tagged_above=-5 required=5 tests=BAYES_00=-1.9
X-Spam-Level: 
X-Archive-Number: 201105/76
X-Sequence-Number: 6751

Le 05/20/2011 06:53 PM, Alvaro Herrera a écrit :
> Excerpts from Derrick Rice's message of vie may 20 12:35:24 -0400 2011:
>> On Fri, May 20, 2011 at 12:18 PM, Guillaume Lelarge
>> <guillaume@lelarge.info>wrote:
>>
>>> Well, for a specific object, any superuser, the database owner, the
>>> schema owner, and the object owner could drop the object. This is not a
>>> vulnerability.
>>>
>>
>> It is not documented clearly.  Any information not made clear is an
>> opportunity for an error which leads to a vulnerability.
> 
> So we need a standard caveat stmt on all relevant pages?  Seems
> reasonable to me.
> 

Could be. Not sure it's that important.


-- 
Guillaume
 http://www.postgresql.fr
 http://dalibo.com