From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Kenneth Downs <ken(at)secdat(dot)com> |
Cc: | Ron Johnson <ron(dot)l(dot)johnson(at)cox(dot)net>, pgsql-general(at)postgresql(dot)org |
Subject: | Re: HIPPA (was Re: Anyone know ...) |
Date: | 2007-03-10 02:04:40 |
Message-ID: | 6231.1173492280@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Kenneth Downs <ken(at)secdat(dot)com> writes:
> The biggest security limitation we have is actually a weakness in
> Postgres - the inability to restrict the abilities of a user with
> CREATUSER rights, they can make somebody who can do anything. For
> higher security this requires no ability for public registration of
> accounts. This would be solved if we could restrict a CREATUSER user to
> only GRANTing to roles they themselves are in.
I thought about this for awhile, but I think you are missing the reason
why it's designed the way it is. The point of CREATEROLE privilege is
to be a slightly safer form of superuser: that is, to allow the DBA to
do all his day-to-day management of user accounts without being a real
superuser who can corrupt the database arbitrarily badly. If we
restricted CREATEROLE as you suggest, then either DBAs would have to
make their CREATEROLE account a member of every role they manage, or
they'd have to run as real superusers. Either choice represents a
significant increase in the capabilities of the CREATEROLE account and
thus more chance for mistakes. So while a miscreant with CREATEROLE
can certainly avail himself of any database privilege short of
superuserness, in the intended use of the feature it is actually
possible for DBAs to operate with *fewer* privileges than they would
need to get useful work done if we adopted your suggestion.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Jorge Godoy | 2007-03-10 02:07:26 | Re: Setting week starting day |
Previous Message | Bruno Wolff III | 2007-03-10 02:00:12 | Re: Setting week starting day |