Re: [NOVICE] create database, user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Thorsten,

> I want to create a database and a matching user for a web
>  application.
> I want to do all that from an SQL file but I have problems with both
> 'create database' and 'create user'.
> 
> - I have still not grasped how I should connect to the DBMS for
>  things
> like that; there is no root. Is there a document describing best
> practices somewhere?

First, read:  http://www.postgresql.org/idocs/index.php?user-manag.html
 
all of it.

Your "root" user for PostgreSQL should be the user "postgres", unless
 you have used a non-standard install.  In a secure system, the
 postgres user should belong to the group "daemon", own the pgsql/
 driectory tree, and have a secure password, both on the system and on
 the database.  The postgres user will also own the databases template1
 and template0.  In a regular install, the postgres user will have
 inhereted whatever passowrd it had on the host system.

> - Are there any special provisions you have to follow to do create
> database, user, tables and other object with one SQL file?

There's two approaches you can take ... the easy but less secure, and
 the labor-itensive but very secure.  

The easy:
<in a shell script>
psql -U postgres -c "CREATE USER wwwuser WITH PASSWORD 'www-password'
 CREATEDB;" template1
psql -U wwwuser -c "CREATE DATABASE wwwdatabase;" template1

This will give you a new database with wwwuser as its owner.  wwwuser
 will have full rights on all database objects.  However, this is a not
 terribly secure setup, and I wouldn't reccomend it for any public
 website.

Instead, for a public website, you want to create the database with one
 user as its owner ... say "wwwowner", and a second as the "user" which
 the web scripts use (e.g. "wwwuser").   In this second case, you have
 to go through the labor of defining *specific* permissions for each
 and every object for "wwwuser":

GRANT SELECT, INSERT, UPDATE ON table1 TO wwwuser;

And don't forget your sequences, too:

GRANT SELECT, UPDATE ON table1_id_id_seq TO wwwuser;

It's a pain, but worth it the first time you get hacked.  This way,
 even if a cracker hijacks your web scripts, he can't do anything that
 wwwuser doesn't have permissions for.  One of the things I'm cautious
 about is that wwwuser doesn't have DELETE permissions on anything, or
 any permissions on the security log table.

Of course, wwwuser should not have a shell account, either.

You may wish to subscribe to the pgsql-php or pgsql-perl mailing lists.

-Josh Berkus
[Index of Archives]     [Postgresql General]     [Postgresql Admin]     [PHP Users]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Backpacking]     [Postgresql Jobs]

  Powered by Linux