Yes. It is NEVER a good idea to use GRANT ALL on objects for users. Some people use that as a short cut for allowing access to schemas and tables, but in essence, it allows the users to do much more, and that is BAD!
http://www.postgresql.org/docs/9.3/interactive/sql-grant.html
http://www.postgresql.org/docs/9.3/interactive/sql-grant.html
On Tue, Jun 2, 2015 at 2:08 PM, Steve Pribyl <Steve.Pribyl@xxxxxxxxxxxxxxxx> wrote:
They all look like this.
CREATE ROLE dbA
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
Steve Pribyl
________________________________________
From: Adrian Klaver <adrian.klaver@xxxxxxxxxxx>
Sent: Tuesday, June 2, 2015 1:06 PM
To: Steve Pribyl; Joshua D. Drake; pgsql-general@xxxxxxxxxxxxxx
Subject: Re: postgres db permissions
On 06/02/2015 10:50 AM, Steve Pribyl wrote:
> Josh,
>
> Via psql:
> CREATE ROLE bob LOGIN
> NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
> GRANT dbA TO bob;
> GRANT dbA_ro TO bob;
> GRANT dbB TO bob;
> GRANT dbB_ro TO bob;
>
> dbA, dbA_ro, dbB, and dbB_ro are roles.
The burning question would be, how where they created?
>
> I have not created any database yet or assigned permissions to the roles.
>
> Steve Pribyl
>
>
>
> ________________________________________
> From: pgsql-general-owner@xxxxxxxxxxxxxx <pgsql-general-owner@xxxxxxxxxxxxxx> on behalf of Joshua D. Drake <jd@xxxxxxxxxxxxxxxxx>
> Sent: Tuesday, June 2, 2015 12:44 PM
> To: pgsql-general@xxxxxxxxxxxxxx
> Subject: Re: postgres db permissions
>
> On 06/02/2015 10:36 AM, Steve Pribyl wrote:
>>
>> Good Afternoon,
>>
>> Built a fresh 9.3. postgres server and added some users and noticed that any user can create tables in any database including the postgres database by default.
>>
>> Have I missed some step in securing the default install?
>
> How exactly did you add the users?
>
> JD
>
>
>
> --
> Command Prompt, Inc. - http://www.commandprompt.com/ 503-667-4564
> PostgreSQL Centered full stack support, consulting and development.
> Announcing "I'm offended" is basically telling the world you can't
> control your own emotions, so everyone else should do it for you.
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
> ________________________________
> [http://www.akunacapital.com/images/akuna.png]
> Steve Pribyl | Senior Systems Engineer
> Akuna Capital LLC
> 36 S Wabash, Suite 310 Chicago IL 60603 USA | www.akunacapital.com <http://www.akunacapital.com>
> p: +1 312 994 4646 | m: 847-343-2349 | f: +1 312 750 1667 | Steve.Pribyl@xxxxxxxxxxxxxxxx
>
> Please consider the environment, before printing this email.
>
> This electronic message contains information from Akuna Capital LLC that may be confidential, legally privileged or otherwise protected from disclosure. This information is intended for the use of the addressee only and is not offered as investment advice to be relied upon for personal or professional use. Additionally, all electronic messages are recorded and stored in compliance pursuant to applicable SEC rules. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, printing or any other use of, or any action in reliance on, the contents of this electronic message is strictly prohibited. If you have received this communication in error, please notify us by telephone at (312)994-4640 and destroy the original message.
>
>
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
________________________________
[http://www.akunacapital.com/images/akuna.png]
Steve Pribyl | Senior Systems Engineer
Akuna Capital LLC
36 S Wabash, Suite 310 Chicago IL 60603 USA | www.akunacapital.com <http://www.akunacapital.com>
p: +1 312 994 4646 | m: 847-343-2349 | f: +1 312 750 1667 | Steve.Pribyl@xxxxxxxxxxxxxxxx
Please consider the environment, before printing this email.
This electronic message contains information from Akuna Capital LLC that may be confidential, legally privileged or otherwise protected from disclosure. This information is intended for the use of the addressee only and is not offered as investment advice to be relied upon for personal or professional use. Additionally, all electronic messages are recorded and stored in compliance pursuant to applicable SEC rules. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, printing or any other use of, or any action in reliance on, the contents of this electronic message is strictly prohibited. If you have received this communication in error, please notify us by telephone at (312)994-4640 and destroy the original message.
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
--
Melvin Davidson
I reserve the right to fantasize. Whether or not you
wish to share my fantasy is entirely up to you.
I reserve the right to fantasize. Whether or not you
wish to share my fantasy is entirely up to you.