Re: Default privileges for new databases (was Re: Can't import - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Default privileges for new databases (was Re: Can't import
Date
Msg-id 200206140504.g5E54rA04051@candle.pha.pa.us
Whole thread Raw
In response to Re: Default privileges for new databases (was Re: Can't import large objects in most recent cvs)  (Josh Berkus <josh@agliodbs.com>)
List pgsql-hackers
Josh Berkus wrote:
> 
> Tom,
> 
> > Probably we should have temp table creation allowed to all by default.
> > I'm not convinced that that's a good idea for schema-creation privilege
> > though.  Related issues: what should initdb set as the permissions for
> > template1?  Would it make sense for newly created databases to copy
> > their permission settings from the template database?  (Probably not,
> > since the owner is likely to be different.)  What about copying those
> > per-database config settings Peter just invented?
> 
> Yes.  I think there should be a not optional INITDB switch:  either --secure 
> or --permissive.   People usually know at the time of installation whether 
> they're building a web server (secure) or a home workstation (permissive).  
> 
> Depending on the setting, this should set either a grant all or revoke all for 
> non-db owners as default, including such things as temp table creation.

I like this idea.  I think we should prompt for tcp socket permission
setting for only the owner (Peter E's idea that I think he wants for
7.3), default public schema permissions, temp shema permissions, stuff
like that. We can have initdb flags to prevent the prompting, but doing
this quering at initdb time seems like an ideal solution.  We have
needed such control for a while.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


pgsql-hackers by date:

Previous
From: "Christopher Kings-Lynne"
Date:
Subject: Re: Making serial survive pg_dump
Next
From: Tom Lane
Date:
Subject: Re: Non-standard feature request