On Mon, Jul 09, 2007 at 02:42:17PM -0400, Tim Olsen wrote: > > I take it the privilege table directly references the database by some ID > number? Well, sort of. It's going to be very hard to enforce anything in advance, though. > The reason I ask is because this sort of privilege is possible in > MySQL: just grant all privs on a database (not yet necessarily created) and > the user can drop and create that database at will. They probably store the > privilege with a string for the database name instead of an ID of some sort. Could be. How you'd do ALTER DATABASE. . .RENAME TO under such a scheme is sort of beyond me, though. But anything I once knew about MySQL has probably been replaced, so I'm not the one to ask. > This is for software that we intend to distribute as open-source. I'd like > to keep the createdb (to any db) and sudo requirements for running tests to > a minimum. I think you're going to need to think about this more. If people can look at and modify the code, it's not at all clear to me how you're going to limit their ability to createdb and such like. > After further investigation, it looks like schemas might give me what I'm > looking for. Certainly inside a single database, schemas give you better control than trying to limit createdb to particular effects. But if they have your code, then they can still do this. Are you just trying to make this newbie-friendly, or is this more a control attempt? If the latter, I fear you are going down the wrong road. A -- Andrew Sullivan | ajs@xxxxxxxxxxxxxxx The very definition of "news" is "something that hardly ever happens." --Bruce Schneier