| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Michael(dot)Dietrich(at)swisscom(dot)com, pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Connect to db denied for superuser inherited by group |
| Date: | 2018-03-16 14:52:44 |
| Message-ID: | 19470.1521211964@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Michael(dot)Dietrich(at)swisscom(dot)com (Michael(dot)Dietrich(at)swisscom(dot)com) wrote:
>> 2) User without superuser privileges uses a role with superuser rights (usage confirmed with SHOW current_role.)
> Please provide more details about what this step #2 actually means.
If you mean that you did "GRANT superuserrole TO nonsuperuser", this
does not make "nonsuperuser" into a superuser; it merely allows
"nonsuperuser" to use whatever ordinary privileges might've been
granted to "superuserrole". If you did that with the bootstrap
superuser, this would include ownership rights on all built-in
objects, so it'd still be pretty darn dangerous; but it does not
give the ability to ignore privileges for other objects.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2018-03-16 15:08:03 | Re: Connect to db denied for superuser inherited by group |
| Previous Message | Stephen Frost | 2018-03-16 13:42:34 | Re: Connect to db denied for superuser inherited by group |