Re: Any way to have CREATEUSER privs without having all privs? - Mailing list pgsql-general

From Ezra Epstein
Subject Re: Any way to have CREATEUSER privs without having all privs?
Date
Msg-id MOOdnUQVgI7ODmaiXTWc-g@speakeasy.net
Whole thread Raw
In response to Any way to have CREATEUSER privs without having all privs?  ("ezra epstein" <ee_newsgroup_post@prajnait.com>)
List pgsql-general
"Tom Lane" <tgl@sss.pgh.pa.us> wrote in message
news:6596.1073173257@sss.pgh.pa.us...
> "ezra epstein" <ee_newsgroup_post@prajnait.com> writes:
> > Basically I want a login user that can then set session auth... to any
other
> > user but otherwise has no privs.
>
> You have not thought this through.
>
> If user X can become any other user Y, then he can do anything that is
> doable within the system.  Pretending that he is not superuser is
> pointless.
>
> regards, tom lane
>

I know, I know....  It's like I want something that just isn't possible.  I
want good DB-level security in the app without requiring the overhead of
per-userid login: so connection pools can work.  The app could be careful
with super user... but it is probably better to just go the ordinary route
of an app account with enough privs to do everything and then have the
app/servlet container manage security.

Thanks,

== EE



pgsql-general by date:

Previous
From: Christopher Browne
Date:
Subject: Re: 7.4, 'group by' default ordering?
Next
From: Doug McNaught
Date:
Subject: Re: Backend start-up failed FATAL : non-superuser