Re: postgres db permissions

From: Melvin Davidson <melvin6925(at)gmail(dot)com>
To: Steve Pribyl <Steve(dot)Pribyl(at)akunacapital(dot)com>
Cc: "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org>
Subject: Re: postgres db permissions
Date: 2015-06-02 18:25:11
Message-ID: CANu8Fixudrz8ZNGV3QZHbKDG-hPY6VkYSMOjzO2HX0d7YJjHTA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Yes. It is NEVER a good idea to use GRANT ALL on objects for users. Some
people use that as a short cut for allowing access to schemas and tables,
but in essence, it allows the users to do much more, and that is BAD!

http://www.postgresql.org/docs/9.3/interactive/sql-grant.html

On Tue, Jun 2, 2015 at 2:08 PM, Steve Pribyl <Steve(dot)Pribyl(at)akunacapital(dot)com>
wrote:

> They all look like this.
>
> CREATE ROLE dbA
> NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
>
> Steve Pribyl
>
> ________________________________________
> From: Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>
> Sent: Tuesday, June 2, 2015 1:06 PM
> To: Steve Pribyl; Joshua D. Drake; pgsql-general(at)postgresql(dot)org
> Subject: Re: [GENERAL] postgres db permissions
>
> On 06/02/2015 10:50 AM, Steve Pribyl wrote:
> > Josh,
> >
> > Via psql:
> > CREATE ROLE bob LOGIN
> > NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
> > GRANT dbA TO bob;
> > GRANT dbA_ro TO bob;
> > GRANT dbB TO bob;
> > GRANT dbB_ro TO bob;
> >
> > dbA, dbA_ro, dbB, and dbB_ro are roles.
>
> The burning question would be, how where they created?
>
> >
> > I have not created any database yet or assigned permissions to the roles.
> >
> > Steve Pribyl
> >
> >
> >
> > ________________________________________
> > From: pgsql-general-owner(at)postgresql(dot)org <
> pgsql-general-owner(at)postgresql(dot)org> on behalf of Joshua D. Drake <
> jd(at)commandprompt(dot)com>
> > Sent: Tuesday, June 2, 2015 12:44 PM
> > To: pgsql-general(at)postgresql(dot)org
> > Subject: Re: [GENERAL] postgres db permissions
> >
> > On 06/02/2015 10:36 AM, Steve Pribyl wrote:
> >>
> >> Good Afternoon,
> >>
> >> Built a fresh 9.3. postgres server and added some users and noticed
> that any user can create tables in any database including the postgres
> database by default.
> >>
> >> Have I missed some step in securing the default install?
> >
> > How exactly did you add the users?
> >
> > JD
> >
> >
> >
> > --
> > Command Prompt, Inc. - http://www.commandprompt.com/ 503-667-4564
> > PostgreSQL Centered full stack support, consulting and development.
> > Announcing "I'm offended" is basically telling the world you can't
> > control your own emotions, so everyone else should do it for you.
> >
> >
> > --
> > Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> > To make changes to your subscription:
> > http://www.postgresql.org/mailpref/pgsql-general
> > ________________________________
> > [http://www.akunacapital.com/images/akuna.png]
> > Steve Pribyl | Senior Systems Engineer
> > Akuna Capital LLC
> > 36 S Wabash, Suite 310 Chicago IL 60603 USA | www.akunacapital.com <
> http://www.akunacapital.com>
> > p: +1 312 994 4646 | m: 847-343-2349 | f: +1 312 750 1667 |
> Steve(dot)Pribyl(at)akunacapital(dot)com
> >
> > Please consider the environment, before printing this email.
> >
> > This electronic message contains information from Akuna Capital LLC that
> may be confidential, legally privileged or otherwise protected from
> disclosure. This information is intended for the use of the addressee only
> and is not offered as investment advice to be relied upon for personal or
> professional use. Additionally, all electronic messages are recorded and
> stored in compliance pursuant to applicable SEC rules. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, printing or any other use of, or any action in reliance on,
> the contents of this electronic message is strictly prohibited. If you have
> received this communication in error, please notify us by telephone at
> (312)994-4640 and destroy the original message.
> >
> >
>
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com
> ________________________________
> [http://www.akunacapital.com/images/akuna.png]
> Steve Pribyl | Senior Systems Engineer
> Akuna Capital LLC
> 36 S Wabash, Suite 310 Chicago IL 60603 USA | www.akunacapital.com <
> http://www.akunacapital.com>
> p: +1 312 994 4646 | m: 847-343-2349 | f: +1 312 750 1667 |
> Steve(dot)Pribyl(at)akunacapital(dot)com
>
> Please consider the environment, before printing this email.
>
> This electronic message contains information from Akuna Capital LLC that
> may be confidential, legally privileged or otherwise protected from
> disclosure. This information is intended for the use of the addressee only
> and is not offered as investment advice to be relied upon for personal or
> professional use. Additionally, all electronic messages are recorded and
> stored in compliance pursuant to applicable SEC rules. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, printing or any other use of, or any action in reliance on,
> the contents of this electronic message is strictly prohibited. If you have
> received this communication in error, please notify us by telephone at
> (312)994-4640 and destroy the original message.
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

--
*Melvin Davidson*
I reserve the right to fantasize. Whether or not you
wish to share my fantasy is entirely up to you.

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Adrian Klaver 2015-06-02 18:29:08 Re: postgres db permissions
Previous Message Adrian Klaver 2015-06-02 18:20:52 Re: postgres db permissions