Re: Making a schema "read-only" (was Unexpected message in grant/revoke script)

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Webb Sprague" <webb(dot)sprague(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Making a schema "read-only" (was Unexpected message in grant/revoke script)
Date: 2008-03-14 19:55:09
Message-ID: 24460.1205524509@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

"Webb Sprague" <webb(dot)sprague(at)gmail(dot)com> writes:
> Also, I revoked what I thought was everything possible on the public
> schema, but a user is still able to create a table in that schema --
> could someone explain:

> oregon=# revoke create on schema public from foobar cascade;
> REVOKE

You've got a conceptual error here: the above only does something if
you'd previously done an explicit "GRANT TO foobar". You haven't,
so there's nothing to revoke.

The reason people can create stuff in public is that by default,
create on schema public is granted to PUBLIC, ie the world.

Start with
revoke all on schema public from public
and then grant only what you want.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Webb Sprague 2008-03-14 20:08:28 Re: Making a schema "read-only" (was Unexpected message in grant/revoke script)
Previous Message Scott Marlowe 2008-03-14 19:40:45 Re: postgre vs MySQL