Re: Restricting user -> database access. - Mailing list pgsql-admin

From Tom Lane
Subject Re: Restricting user -> database access.
Date
Msg-id 13789.998450536@sss.pgh.pa.us
Whole thread Raw
In response to Restricting user -> database access.  ("C. Bensend" <benny@bennyvision.com>)
Responses Re: Restricting user -> database access.
List pgsql-admin
"C. Bensend" <benny@bennyvision.com> writes:
>     I don't see any real way to keep users from connecting
> to their own databases via psql, and then using "\c <otherdb>"
> to connect to someone else's database.

Huh?  \c is checked exactly as tightly as a fresh connection --- it
*is* a fresh connection, as far as the server is concerned.

>     IS there a way to limit a user's ability to connect
> to only THEIR database?

See "sameuser" option in pg_hba.conf.

> hostssl      bobsdb    a.b.c.d   255.255.255.255   crypt

> This works fine, asks for a password, connects the user, and
> then they can "\c otherdb" without any problem.

The above line does not allow connections to ANY database other than
bobsdb.  If anyone can connect to anything else at all, it's because
you have additional pg_hba lines that you're not showing us.

> hostssl      bobsdb    a.b.c.d   255.255.255.255   ident   sameuser

"sameuser" in the database column (column 2) was what I was talking
about.  "sameuser" as an ident argument is a different concept
altogether.

            regards, tom lane

pgsql-admin by date:

Previous
From: Tom Lane
Date:
Subject: Re: ERROR: Conditional NOTIFY is not implemented
Next
From: "C. Bensend"
Date:
Subject: Re: Restricting user -> database access.