| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Steve Pribyl <Steve(dot)Pribyl(at)akunacapital(dot)com>, Melvin Davidson <melvin6925(at)gmail(dot)com>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: postgres db permissions |
| Date: | 2015-06-02 21:26:13 |
| Message-ID: | 556E1F75.9070207@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 06/02/2015 11:46 AM, Tom Lane wrote:
> Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> writes:
>> On 06/02/2015 11:04 AM, Steve Pribyl wrote:
>>> I have noted that "GRANT ALL ON SCHEMA public TO public" is granted
>>> on postgres.schemas.public. I am looking at this in pgadmin so excuse
>>> my nomenclature.
>
>>> Is this what is allowing write access to the database?
>
>> Yes, though that should not be the default.
>
> Huh? Of course it's the default. I'm not really sure why the OP is
> surprised at this. A database that won't let you create any tables
> is not terribly useful.
Aah, me being stupid.
>
> If you don't like this, you can get rid of the database's public schema
> and/or restrict who has CREATE permissions on it. But I can't see us
> shipping a default configuration in which only superusers can create
> tables. That would just encourage people to operate as superusers, which
> overall would be much less secure.
>
> regards, tom lane
>
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fabio Ugo Venchiarutti | 2015-06-02 21:30:16 | Re: Minor revision downgrade (9.2.11 -> 9.2.10) |
| Previous Message | Andres Freund | 2015-06-02 21:22:55 | Re: Re: [GENERAL] 9.4.1 -> 9.4.2 problem: could not access status of transaction 1 |