Postgres Pro
Downloads
Home   >   mailing lists

Thread: create function - user permissions

create function - user permissions

From
Markus Wagner
Date:
Hi,

one of my users wants to create functions using the C language, but pgs
says "no permission".

How can I permit the user to do this, while avoiding to give him root
access rights?

Thanks,

Markus

Re: create function - user permissions

From
Tom Lane
Date:
Markus Wagner <mawagner@mail.uni-mainz.de> writes:
> one of my users wants to create functions using the C language, but pgs
> says "no permission".

> How can I permit the user to do this, while avoiding to give him root
> access rights?

Just a wakeup call here: if you let a user write C functions then
you *are* giving him Postgres superuser rights.  He can do anything
he damn well pleases as user postgres, he's just got to write some
code to do it.

Once you've absorbed that, giving him the dbadmin password should
not look unreasonable.
        regards, tom lane

Re: create function - user permissions

From
JanWieck@t-online.de (Jan Wieck)
Date:
Markus Wagner wrote:
> Hi,
>
> one of my users wants to create functions using the C language, but pgs
> says "no permission".
>
> How can I permit the user to do this, while avoiding to give him root
> access rights?
   Assuming with "root" access you mean "DB-superuser" rights.
   No way!
   From  the  C language, he has total access to the DB backend,   running under the OS-side database system  owners
UID. That   means,   he   has   complete  OS  access  to  the  entire  DB   installation! He could read/write system
catalogswithout any   permission  checks (SPI is only for convienience, someone can   use heap-am as well).
 
   So in fact, he IS  a  superuser  then.  And  that  should  be   reflected  in  his  rights.  Giving  him the right
wouldalso   prevent him from doing stupid things to gain access for  data   he shouldn't have, possibly corrupting you
DBinstallation by   accident.
 
   If that all isn't an option for you,  give  him  his  own  DB   installation  where  he  is  his  own superuser.
Therehe can   develop those things and after code revision, you install the   modules in the production system.
 


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#================================================== JanWieck@Yahoo.com #