Thread: Privileges question

Privileges question

From
"Alexander James Spence [axs]"
Date:

Hi All,

 

I will have to create around 200+ users and user databases for student project use.  I have tried all sorts of GRANT and REVOKE combinations but for the life of me cannot stop other users from creating tables in a database that is not their own.

 

EXAMPLE:

 

Create userone with a database userone

 

Create usertwo with a database usertwo

 

Login as usertwo and change to use userone database

 

Can now create tables in userone database

 

We are running version 9.1 anyone out there  who can show me how can I stop this behaviour? 

 

A bonus would also be nice if I can stop the user from deleting their own database.

 

Thanks in advance.

 

Regards,

 

Sandy Spence

Department of Computer Science

Aberystwyth University

Penglais Campus

Llandinam Building

Aberystwyth

Ceredigion

SY23 3DB

Tel:  01970-622433

Fax: 01970-628536

 

 

Re: Privileges question

From
"Kevin Grittner"
Date:
"Alexander James Spence [axs]" <axs@aber.ac.uk> wrote:

> will have to create around 200+ users and user databases for
> student project use.  I have tried all sorts of GRANT and REVOKE
> combinations but for the life of me cannot stop other users from
> creating tables in a database that is not their own.

test=# create user xxx;
CREATE ROLE
test=# create database xxx owner xxx;
CREATE DATABASE
test=# \c xxx
You are now connected to database "xxx" as user "kgrittn".
xxx=# revoke create on database xxx from public;
REVOKE
xxx=# revoke create on schema public from public;
REVOKE
xxx=# grant create on schema public to xxx;
GRANT

You might also want to limit connection rights in pg_hba.conf

-Kevin

Re: Privileges question

From
"Alexander James Spence [axs]"
Date:
Thanks Kevin,

That worked, head not quite so sore now ;¬).

If I wanted to set this as a default for all new databases and users how/where do I alter/create a schema other than
public?


Regards,

Sandy Spence
Department of Computer Science
Aberystwyth University
Penglais Campus
Llandinam Building
Aberystwyth
Ceredigion
SY23 3DB
Tel:  01970-622433
Fax: 01970-628536



-----Original Message-----
From: pgsql-admin-owner@postgresql.org [mailto:pgsql-admin-owner@postgresql.org] On Behalf Of Kevin Grittner
Sent: 18 October 2011 17:27
To: Alexander James Spence [axs]; 'pgsql-admin@postgresql.org'
Subject: Re: [ADMIN] Privileges question

"Alexander James Spence [axs]" <axs@aber.ac.uk> wrote:

> will have to create around 200+ users and user databases for
> student project use.  I have tried all sorts of GRANT and REVOKE
> combinations but for the life of me cannot stop other users from
> creating tables in a database that is not their own.

test=# create user xxx;
CREATE ROLE
test=# create database xxx owner xxx;
CREATE DATABASE
test=# \c xxx
You are now connected to database "xxx" as user "kgrittn".
xxx=# revoke create on database xxx from public;
REVOKE
xxx=# revoke create on schema public from public;
REVOKE
xxx=# grant create on schema public to xxx;
GRANT

You might also want to limit connection rights in pg_hba.conf

-Kevin

--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: Privileges question

From
"Kevin Grittner"
Date:
"Alexander James Spence [axs]" <axs@aber.ac.uk> wrote:

> If I wanted to set this as a default for all new databases and
> users how/where do I alter/create a schema other than public?

You could do the REVOKEs against the template1 database (or whatever
database you use for creating these if you don't take the default).
The rest would need to be scripted, so I would probably just leave
the template alone and cover the whole thing in my script.

-Kevin