Home > mailing lists

Re: "default deny" for roles - Mailing list pgsql-hackers

From	Andrew Dunstan
Subject	Re: "default deny" for roles
Date	August 29, 2012 04:33:01
Msg-id	503D7138.2030008@dunslane.net Whole thread Raw
In response to	Re: "default deny" for roles (Craig Ringer <ringerc@ringerc.id.au>)
Responses	Re: "default deny" for roles
List	pgsql-hackers

Tree view

On 08/28/2012 09:09 PM, Craig Ringer wrote:
> On 08/29/2012 01:25 AM, David Fetter wrote:
>> Folks,
>>
>> There are situations where a "default deny" policy is the best fit.
>>
>> To that end, I have a modest proposal:
>>
>>      REVOKE PUBLIC FROM role;
>>
>> Thenceforth, the role in question would only have access to things it
>> was specifically granted.
>
> Wouldn't that render the user utterly unable to do anything until you 
> added a bunch of GRANTs on the system catalogs for that user or a 
> group they're a member of?


No.

Try it and see. You can do a lot without having any access rights at all 
to the catalog tables.

cheers

andrew

pgsql-hackers by date:

From: Tatsuo Ishii
Date: 29 August 2012, 04:25:58
Subject: Re: 64-bit API for large object

From: Craig Ringer
Date: 29 August 2012, 04:46:12
Subject: Re: MySQL search query is not executing in Postgres DB

Re: "default deny" for roles - Mailing list pgsql-hackers

Previous

Next