Thread: User administration tool

User administration tool

From
Bruce Momjian
Date:
[ Replies set to hackers.]

I have started coding a user/group administration tool that allows you
to add/modify/delete users and groups.  I should have something working
in a week.  I will look similar to my pgmonitor tool.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

RE: User administration tool

From
Matthew
Date:
> I have started coding a user/group administration tool that allows you
> to add/modify/delete users and groups.  I should have something working
> in a week.  I will look similar to my pgmonitor tool.
> semi related to this, I have always thought that the way postgresql
handles the deletion of users and groups to be flawed.  If I create a user,
grant permissions on a table and then drop the user, permissions now exist
on that table for a user that does not exist.  I see this as a possible
security flaw since a new user can then be created with the user id of the
ID user and have all the permissions that might have ever been assigned to
that old user.  When a user is deleted, shouldn't all permissions associated
with that user be deleted also, I would think this could be handled with a
PK/ FK cascading delete type setup.
my 2¢
Matt O'Connor


RE: User administration tool

From
Peter Eisentraut
Date:
Matthew writes:

>     semi related to this, I have always thought that the way postgresql
> handles the deletion of users and groups to be flawed.  If I create a user,
> grant permissions on a table and then drop the user, permissions now exist
> on that table for a user that does not exist.

Unfortunately it is not possible to prevent this with anything approaching
ease, in the same way that userdel on Unix can't scan all file systems for
some to-be-stale files before removing users.

> I see this as a possible security flaw since a new user can then be
> created with the user id of the ID user and have all the permissions
> that might have ever been assigned to that old user.

This will be fixed in 7.2 when Oids will be used as user ids.  Of course
Oids can wrap, but that's another days project...

-- 
Peter Eisentraut      peter_e@gmx.net       http://yi.org/peter-e/



Re: [ADMIN] User administration tool

From
Peter Eisentraut
Date:
Bruce Momjian writes:

> I have started coding a user/group administration tool that allows you
> to add/modify/delete users and groups.  I should have something working
> in a week.  I will look similar to my pgmonitor tool.

Pgaccess already does part of this.  If you're going to write it in Tcl/Tk
anyway, I think you might as well integrate it there.

-- 
Peter Eisentraut      peter_e@gmx.net       http://yi.org/peter-e/



Re: [ADMIN] User administration tool

From
Bruce Momjian
Date:
> Bruce Momjian writes:
>
> > I have started coding a user/group administration tool that allows you
> > to add/modify/delete users and groups.  I should have something working
> > in a week.  I will look similar to my pgmonitor tool.
>
> Pgaccess already does part of this.  If you're going to write it in Tcl/Tk
> anyway, I think you might as well integrate it there.

Wow, I see.  I never suspected it did that too.  :-)  Seems I don't need
to write anything, except perhaps add group capabilities to pgaccess.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

Re: [ADMIN] User administration tool

From
"Jan T. Kim"
Date:
On Fri, Mar 30, 2001 at 10:48:54AM -0500, Bruce Momjian wrote:
> > Bruce Momjian writes:
> > 
> > > I have started coding a user/group administration tool that allows you
> > > to add/modify/delete users and groups.  I should have something working
> > > in a week.  I will look similar to my pgmonitor tool.
> > 
> > Pgaccess already does part of this.  If you're going to write it in Tcl/Tk
> > anyway, I think you might as well integrate it there.
> 
> Wow, I see.  I never suspected it did that too.  :-)  Seems I don't need
> to write anything, except perhaps add group capabilities to pgaccess.

Isn't phpPgAdmin yet another tool of this type? I haven't tried it myself,
(no need, myself being the only user...) but the web page
(http://www.greatbridge.org/project/phppgadmin/projdisplay.php) says:
   Features include: 
   * create and drop databases    * create, copy, drop and alter     tables/views/sequences/functions/indicies/triggers
  * edit and add fields (to the extent Postgres allows)    * execute any SQL-statement, even batch-queries    * manage
primaryand unique keys    * create and read dumps of tables    * administer one single database    * administer
multipleservers    * administer postgres users and groups 
 

Greetinx, Jan
-- +- Jan T. Kim -------------------------------------------------------+|  *NEW* -->  email: kim@inb.mu-luebeck.de
                     ||  *NEW* -->  WWW:   http://www.inb.mu-luebeck.de/staff/kim.html     |*-----=<  hierarchical
systemsare for files, not for humans  >=-----*