Thread: Bug in user management?

Bug in user management?

From
Hans-Jürgen Schönig
Date:
I need some information about PostgreSQL user management. <br />I have created a user called epi who is not allowed to
createdatabase but allowed to create users. <br />I have connected as user epi and have then created user kertal with
thefollowing command: <p>shop=# CREATE USER kertal WITH PASSWORD 'anypasswd' CREATEDB CREATEUSER IN GROUP cybertec;
<p>Accordingto the system table kertal is allowed to create databases - I have also tried this as user kertal and it
works.<br />In my opinion a user that has not the right to create database MUST NOT create user that are allowed to do
it.<p>Have I done something wrong or is it a bug? <p>    Hans <br />  <p>persons=# SELECT * FROM pg_user ; <br
/> usename | usesysid | usecreatedb | usetrace | usesuper | usecatupd |  passwd  | <br />valuntil <br
/>----------+----------+-------------+----------+----------+-----------+----------+----------<br /> postgres |       26
|t           | t        | t        | t         | ******** | <br /> hans     |       27 | f           | f        |
f       | f         | ******** | <br /> epi      |       28 | f           | f        | t        | t         | ********
|<br /> kertal   |       29 | t           | f        | t        | t         | ******** | <br />(4 rows) <br /> 
<pre>-- 
-------------------------------------------------------------------
Cybertec Geschwinde &. Schönig OEG; Schönbrunnerstraße 133/18
A-1050 Wien; <a href="http://postgres.cybertec.at">http://postgres.cybertec.at</a>; Fax.: +43/1/961 71 58
Tel.: +43/664/233 90 75</pre>  

Re: Bug in user management?

From
Tom Lane
Date:
Hans-Jürgen Schönig <hs@cybertec.at> writes:
> I have created a user called epi who is not allowed to create database
> but allowed to create users.

The "CREATEUSER" option is rather badly mislabeled: the privilege it
actually grants is superuser status.  You are laboring under a severe
misapprehension if you think that epi has ANY restrictions on what he
can do ...
        regards, tom lane


Re: Bug in user management?

From
Cedar Cox
Date:
While we're on this subject, where is the documentation on
pg_shadow?  Specifically, what it 'usetrace' for?

-Cedar


On Fri, 13 Apr 2001, Tom Lane wrote:

> Hans-Jürgen Schönig <hs@cybertec.at> writes:
> > I have created a user called epi who is not allowed to create database
> > but allowed to create users.
> 
> The "CREATEUSER" option is rather badly mislabeled: the privilege it
> actually grants is superuser status.  You are laboring under a severe
> misapprehension if you think that epi has ANY restrictions on what he
> can do ...
> 
>             regards, tom lane