Re: Restricting the CREATEROLE privilege

From: Alex Hunsaker <badalex(at)gmail(dot)com>
To: "Wappler, Robert" <rwappler(at)ophardt(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Restricting the CREATEROLE privilege
Date: 2010-02-25 16:16:32
Message-ID: 34d269d41002250816k78f8e26fl83c74921f1ac8b3f@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Thu, Feb 25, 2010 at 08:22, Wappler, Robert <rwappler(at)ophardt(dot)com> wrote:
> Unfortunately, base_user inherits the connect privileges from role
> PUBLIC, regardless, whether it was created with NOINHERIT.

Yeah, IMO the documentation does not really spell out that limitation.

> How about changing the CREATEROLE privilege to be associated with a
> specific database instead of affecting all databases?

Well just on the grounds that it would break every current user of
CREATE ROLE... that's probably not going to happen. I could imagine
there could be some syntax sugar for this. But I don't think it would
be any nicer as you would probably need to REVOKE PUBLIC and inherit
anyway. Not to mention I'm not sure what the semantics would be or
where it gets its 'default' permissions. A ruff idea would be for
each database (except the connected one) REVOKE ALL on database. Of
course feel free to flesh it out and submit a patch :). In any event
its certainly too late for 9.0 and would not be back patched anyway...

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Andy Yoder 2010-02-25 16:36:25 Tool for determining field usage of database tables
Previous Message Dominik Sander 2010-02-25 15:52:32 Boolean partition constraint behaving strangely