Re: how to create a role with no privileges?

From: Kynn Jones <kynnjo(at)gmail(dot)com>
To: Jerry Sievers <gsievers19(at)comcast(dot)net>
Cc: pgsql-general General <pgsql-general(at)postgresql(dot)org>
Subject: Re: how to create a role with no privileges?
Date: 2014-07-01 16:13:02
Message-ID: CAFvQaj7kH=zmSwnAbTdJRfNceEV=3t-Hz734SAPfFzYVuA3J0g@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Thanks for your reply.

Actually, AFAICT, revoking usage on the schemas you listed seems to have no
effect at all on the "minimal role"'s ability to use \l, \d, \dt, etc.

In particular, the minimal role still has access to the shell through \!.
YIKES!!!

kynn

On Mon, Jun 30, 2014 at 5:37 PM, Jerry Sievers <gsievers19(at)comcast(dot)net>
wrote:

> Kynn Jones <kynnjo(at)gmail(dot)com> writes:
>
> > How does one define the most limited role/user possible in PostgreSQL?
> >
> > Ideally, this role would not be able to do *anything* at all. In
> particular, this role would not be able to query meta-information about
> existing tables, functions,
> > etc. with backslash commands such as \dt, \df.
>
> Some new role created and not granted anything has only public rights
> which by default is the lowest level of privilege but as you probably
> are aware does permit creating objects in public schema and viewing
> certain system info.
>
> But you can revoke usage on schemas; public, pg_catalog,
> information_schema to create the illusion of even tighter than default
> perms.
>
> You would then need to grant usage on those schemas to some other role
> and give this role to real new roles/users who are permitted to do
> those things.
>
> >
> > (Of course, in practice such a role would not correspond to any real
> role. Its purpose, rather, is to serve as the starting point for defining
> more realistic roles by
> > selectively adding the fewest privileges possible).
> >
> > TIA for any pointers!
> >
> > kynn
> >
>
> --
> Jerry Sievers
> Postgres DBA/Development Consulting
> e: postgres(dot)consulting(at)comcast(dot)net
> p: 312.241.7800
>

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Francisco Olarte 2014-07-01 16:36:46 Re: how to create a role with no privileges?
Previous Message Patrick Simcoe 2014-07-01 15:42:04 Two-way encryption