Thread: few securiry questions

few securiry questions

From
R D
Date:
hi there,I'm migrating from MySQL to PgSQL and
I have few questions on PgSQL securiry:
  1. How can I forbid to some users to create tables
in some databases which they can acccess.
  2. How can I GRANT/REJECT some privileges on all
objects in a database TO/FROM some users, since i
can't type "GRANT ALL ON * TO SOMEUSER;" in PgSQL. Is
there any functional analog?
  3. How can I reject to some users connections to
some databases from any host using password
authentication?
  4. Why this pg_hba.conf does not alow uses from
192.168.200.X to connect to the databases with message
telling that there was no entry for 192.168.200.x in
pg_hba.conf?
# pg_hba.conf

local  all                                   trust
host   all    0.0.0.0          0.0.0.0       reject
host   all    192.168.200.0    255.255.255.0 password

Thanks in advance!

Rumen


__________________________________________________
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/

Re: few securiry questions

From
Peter Eisentraut
Date:
R D writes:

>   1. How can I forbid to some users to create tables
> in some databases which they can acccess.

You can't. Working on that ...

>   2. How can I GRANT/REJECT some privileges on all
> objects in a database TO/FROM some users, since i
> can't type "GRANT ALL ON * TO SOMEUSER;" in PgSQL. Is
> there any functional analog?

You can't internally. You can read the list of all tables from the
pg_class system catalog and have your application issue the command GRANT
x ON table1, table2, table3, ... TO y.

>   3. How can I reject to some users connections to
> some databases from any host using password
> authentication?

You can create a separate password file for the databases and only list
the users you want in that password file. The syntax for this is
`... password filename' in pg_hba.conf. See also the pg_passwd command for
making password files.

>   4. Why this pg_hba.conf does not alow uses from
> 192.168.200.X to connect to the databases with message
> telling that there was no entry for 192.168.200.x in
> pg_hba.conf?
> # pg_hba.conf
>
> local  all                                   trust
> host   all    0.0.0.0          0.0.0.0       reject
> host   all    192.168.200.0    255.255.255.0 password

Because a mask of 0.0.0.0 matches every host, so the reject kicks in. The
logic here is that

    ({host entry} XOR {actual host}) AND {mask entry}

must be 0 for a record to match.


--
Peter Eisentraut                  Sernanders väg 10:115
peter_e@gmx.net                   75262 Uppsala
http://yi.org/peter-e/            Sweden