Thread: SECURITY
why when i create user and create database for this user, he can connect to my others database , (not only his own) and create there tables and etc. He can not select , delete etc but he can create something and then drop this , is can be like a bug ?
> why when i create user and create database for this user, he can > connect to my others database , (not only his own) and create there > tables and etc. He can not select , delete etc but he can create > something and then drop this , is can be like a bug ? Nope. You need to remove access to the public schema if you want to prevent this. REVOKE USAGE ON SCHEMA public FROM PUBLIC; It also might be wise for you to look at the pg_hba.conf and make use of the samegroup directive. -sc PS <feature_request>It'd be really slick if there was a database, user, and method type that'd be pgsql or some such and would allow the DBA to configure what users get access to what tables _inside_ of the database via a system catalog, leaving pg_hba.conf as an all else fails last resort mechanism used in recovery or bootstrapping.</feature_request> -- Sean Chittenden
On Wed, May 21, 2003 at 20:18:03 +0200, ivan <ivan@psycho.pl> wrote: > > > why when i create user and create database for this user, he can connect > to my others database , (not only his own) and create there tables and > etc. > He can not select , delete etc but he can create something and then drop > this , is can be like a bug ? In 7.2 and higher you can control this (being able to connect to a database) in pg_hba.conf by setting up per user per database rules for authentication methods. As an alternative in 7.3 and higher you can control being able to create objects in a database. To prevent creation of schemas and temporary tables issue: REVOKE ALL ON DATABASE database_name FROM PUBLIC; The PUBLIC schema allows object creation by default. To prevent people from creating objects there issue: REVOKE CREATE ON SCHEMA PUBLIC FROM PUBLIC;
> why when i create user and create database for this user, he can connect > to my others database , (not only his own) and create there tables and > etc. > He can not select , delete etc but he can create something and then drop > this , is can be like a bug ? It need not be a bug. As and when you create a database, you are able to revoke permissions to the database from other users. If you do that, no other users would be able to access the database. Refer REVOKE command for details. regards, bhuvaneswaran