Search Postgresql Archives

Re: (Default) Group permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/30/2013 09:12 PM, Andrew Sullivan wrote:
> 
> If you want "easy", then just give different databases per user.  If
> you want complicated, you need an administrator; yes, that needs to be
> in some sense under the control of the host.  We have roughly 40 years
> of experience with these things, and the evidence is that
> "comprehensive but easy" is either badly insecure or very hard to
> operate well.  Which trade do you want to make?
> 

This is a false, er, trichotomy? The requirements I listed aren't very
hard to meet. Here's how you do it for a directory on the filesystem
(why do I get the feeling nobody is going to check out the repo):

  # Admins can do anything.
  setfacl    -m group:admins:rwx *-project
  setfacl -d -m group:admins:rwx *-project

  # The customer's developers can access their own projects.
  setfacl    -m group:customer-devs:rwx customer-project
  setfacl -d -m group:customer-devs:rwx customer-project

  # The anonymous user can only read things.
  setfacl    -m user:anonymous:rx customer-project
  setfacl -d -m user:anonymous:rx customer-project

This will work for eternity, and is perfectly secure. "Easy" is
relative, but it's easy for me, and I only have to do it once, so who
cares. I have find/xargs scripts that do the hard part for me.



-- 
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux