Thread: Permissions on non-owned database
Hello I have a strange problem and cannot realize is it really true. There are 2 problems - first one is that any user can create table (or probably any other object) in non-owned database. The second is that any postgres user can create object in template1 database. I've used 7.0.2 and never seen such problems. The postgres 7.1.3 was installed from scratch and nothing was changed from default configuration - I've only created 2 users + one db and check the situation. Can somebody tell me what may be a problem here ? thanks, -- Dimitry
Sorry, guys - is also happens under 7.0.2 So I still have only one question - HOW CAN I GET OVER THAT ? Wednesday, January 23, 2002, 12:38:27 PM, Dmitry Alyabyev wrote: > Hello > I have a strange problem and cannot realize is it really true. > There are 2 problems - first one is that any user can create table > (or probably any other object) in non-owned database. > The second is that any postgres user can create object in template1 > database. I've used 7.0.2 and never seen such problems. > The postgres 7.1.3 was installed from scratch and nothing was changed > from default configuration - I've only created 2 users + one db and > check the situation. > Can somebody tell me what may be a problem here ? > thanks, -- Dimitry
On Wed, 23 Jan 2002, Dmitry Alyabyev wrote: > Hello > > I have a strange problem and cannot realize is it really true. > There are 2 problems - first one is that any user can create table > (or probably any other object) in non-owned database. > The second is that any postgres user can create object in template1 > database. I've used 7.0.2 and never seen such problems. > The postgres 7.1.3 was installed from scratch and nothing was changed > from default configuration - I've only created 2 users + one db and > check the situation. > > Can somebody tell me what may be a problem here ? Right now there's no permissions for preventing creation in a database you can connect to. If the user doesn't need to be able to connect to the database in question, you can remove their access to it via your pg_hba.conf file.
Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote: > Right now there's no permissions for preventing creation in a database you > can connect to. If the user doesn't need to be able to connect to the > database in question, you can remove their access to it via your > pg_hba.conf file. How can I separate these users if they are connecting from one IP ? Using ident auth isn't secure enough, imho -- Dimitry
Dmitry Alyabyev <dimitry@al.org.ua> writes: > Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote: > > > Right now there's no permissions for preventing creation in a database you > > can connect to. If the user doesn't need to be able to connect to the > > database in question, you can remove their access to it via your > > pg_hba.conf file. > > How can I separate these users if they are connecting from one IP ? > Using ident auth isn't secure enough, imho If they're on a different host, and you're not willing to trust ident, I think some kind of password auth is the only way to go. -Doug -- Let us cross over the river, and rest under the shade of the trees. --T. J. Jackson, 1863
On Wed, 23 Jan 2002, Dmitry Alyabyev wrote: > Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote: > > > Right now there's no permissions for preventing creation in a database you > > can connect to. If the user doesn't need to be able to connect to the > > database in question, you can remove their access to it via your > > pg_hba.conf file. > > How can I separate these users if they are connecting from one IP ? > Using ident auth isn't secure enough, imho Probably password or crypt with per database password files.
Wednesday, January 23, 2002, 7:13:06 PM, Doug McNaught wrote: > Dmitry Alyabyev <dimitry@al.org.ua> writes: >> Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote: >> >> > Right now there's no permissions for preventing creation in a database you >> > can connect to. If the user doesn't need to be able to connect to the >> > database in question, you can remove their access to it via your >> > pg_hba.conf file. >> >> How can I separate these users if they are connecting from one IP ? >> Using ident auth isn't secure enough, imho > If they're on a different host, and you're not willing to trust > ident, I think some kind of password auth is the only way to go. No, I'm talking about remove their access to some db's via pg_hba.conf -- Dimitry
Dmitry Alyabyev <dimitry@al.org.ua> writes: > > If they're on a different host, and you're not willing to trust > > ident, I think some kind of password auth is the only way to go. > > No, I'm talking about remove their access to some db's via pg_hba.conf Well, in order to do that securely, you have to know who they are; this requires identd, peer or password authentication. -Doug -- Let us cross over the river, and rest under the shade of the trees. --T. J. Jackson, 1863