Search Postgresql Archives

Re: postgres db permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes. It is NEVER a good idea to use GRANT ALL on objects for users. Some people use that as a short cut for allowing access to schemas and tables, but in essence, it allows the users to do much more, and that is BAD!

http://www.postgresql.org/docs/9.3/interactive/sql-grant.html

On Tue, Jun 2, 2015 at 2:08 PM, Steve Pribyl <Steve.Pribyl@xxxxxxxxxxxxxxxx> wrote:
They all look like this.

CREATE ROLE dbA
  NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;

Steve Pribyl

________________________________________
From: Adrian Klaver <adrian.klaver@xxxxxxxxxxx>
Sent: Tuesday, June 2, 2015 1:06 PM
To: Steve Pribyl; Joshua D. Drake; pgsql-general@xxxxxxxxxxxxxx
Subject: Re: postgres db permissions

On 06/02/2015 10:50 AM, Steve Pribyl wrote:
> Josh,
>
> Via psql:
> CREATE ROLE bob LOGIN
>    NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
> GRANT dbA TO bob;
> GRANT dbA_ro TO bob;
> GRANT dbB TO bob;
> GRANT dbB_ro TO bob;
>
> dbA, dbA_ro, dbB, and dbB_ro are roles.

The burning question would be, how where they created?

>
> I have not created any database yet or assigned permissions to the roles.
>
> Steve Pribyl
>
>
>
> ________________________________________
> From: pgsql-general-owner@xxxxxxxxxxxxxx <pgsql-general-owner@xxxxxxxxxxxxxx> on behalf of Joshua D. Drake <jd@xxxxxxxxxxxxxxxxx>
> Sent: Tuesday, June 2, 2015 12:44 PM
> To: pgsql-general@xxxxxxxxxxxxxx
> Subject: Re: postgres db permissions
>
> On 06/02/2015 10:36 AM, Steve Pribyl wrote:
>>
>> Good Afternoon,
>>
>> Built a fresh 9.3. postgres server and added some users and noticed that any user can create tables in any database including the postgres database by default.
>>
>> Have I missed some step in securing the default install?
>
> How exactly did you add the users?
>
> JD
>
>
>
> --
> Command Prompt, Inc. - http://www.commandprompt.com/  503-667-4564
> PostgreSQL Centered full stack support, consulting and development.
> Announcing "I'm offended" is basically telling the world you can't
> control your own emotions, so everyone else should do it for you.
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
> ________________________________
>   [http://www.akunacapital.com/images/akuna.png]
> Steve Pribyl | Senior Systems Engineer
> Akuna Capital LLC
> 36 S Wabash, Suite 310 Chicago IL 60603 USA | www.akunacapital.com <http://www.akunacapital.com>
> p: +1 312 994 4646 | m: 847-343-2349 | f: +1 312 750 1667 | Steve.Pribyl@xxxxxxxxxxxxxxxx
>
> Please consider the environment, before printing this email.
>
> This electronic message contains information from Akuna Capital LLC that may be confidential, legally privileged or otherwise protected from disclosure. This information is intended for the use of the addressee only and is not offered as investment advice to be relied upon for personal or professional use. Additionally, all electronic messages are recorded and stored in compliance pursuant to applicable SEC rules. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, printing or any other use of, or any action in reliance on, the contents of this electronic message is strictly prohibited. If you have received this communication in error, please notify us by telephone at (312)994-4640 and destroy the original message.
>
>


--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
________________________________
 [http://www.akunacapital.com/images/akuna.png]
Steve Pribyl | Senior Systems Engineer
Akuna Capital LLC
36 S Wabash, Suite 310 Chicago IL 60603 USA | www.akunacapital.com <http://www.akunacapital.com>
p: +1 312 994 4646 | m: 847-343-2349 | f: +1 312 750 1667 | Steve.Pribyl@xxxxxxxxxxxxxxxx

Please consider the environment, before printing this email.

This electronic message contains information from Akuna Capital LLC that may be confidential, legally privileged or otherwise protected from disclosure. This information is intended for the use of the addressee only and is not offered as investment advice to be relied upon for personal or professional use. Additionally, all electronic messages are recorded and stored in compliance pursuant to applicable SEC rules. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, printing or any other use of, or any action in reliance on, the contents of this electronic message is strictly prohibited. If you have received this communication in error, please notify us by telephone at (312)994-4640 and destroy the original message.


--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general



--
Melvin Davidson
I reserve the right to fantasize.  Whether or not you
wish to share my fantasy is entirely up to you.


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux