Thread: Help with privilages please

Help with privilages please

From
Hilary Forbes
Date:
Dear All<br /><br /> We are running pg v 7.4.1 and importantly the database has been converted from earlier versions
ofpg (6.5 I seem to recall).<br /><br /> I have an existing table suppliers and I have created a new user 'hilary'<br
/><br/> REVOKE ALL on TABLE suppliers FROM hilary;<br /><br /> now login as hilary<br /> SELECT * from suppliers;<br />
andI get all the records!!!<br /><br /> If I create a **new** table though and then do the above, the permissions work
Iget a polite message telling me "no go".  This sounds to me like a problem with earlier compatibility.  Is there a way
Ican overcome this.  A simple dump/restore does not solve the problem.<br /><br /> Many thanks<br /> Hilary<br /><p>
HilaryForbes<br /> DMR Limited (UK registration 01134804) <br /> A DMR Information and Technology Group company (<a
eudora="autourl"href="http://www.dmr.co.uk/"><font color="#0000FF"><u>www.dmr.co.uk</u></font></a>) <br /> Direct tel
01689889950 Fax 01689 860330 <br /> DMR is a UK registered trade mark of DMR Limited<br />
**********************************************************

Re: Help with privilages please

From
Stephan Szabo
Date:
On Thu, 20 Jul 2006, Hilary Forbes wrote:

> Dear All
>
> We are running pg v 7.4.1 and importantly the database has been
> converted from earlier versions of pg (6.5 I seem to recall).
>
> I have an existing table suppliers and I have created a new user 'hilary'
>
> REVOKE ALL on TABLE suppliers FROM hilary;
>
> now login as hilary
> SELECT * from suppliers;
> and I get all the records!!!

This probably means that "public" also has rights on suppliers (and thus,
the user still has access through the public permissions). You can
probably get around this by revoking the public rights and granting rights
explicitly to the users that should have rights.



Re: Help with privilages please

From
Richard Broersma Jr
Date:
REVOKE ALL on TABLE suppliers FROM hilary;
now login as hilary
SELECT * from suppliers;
and I get all the records!!!
If I create a **new** table though and then do the above, the permissionswork I get a polite
message telling me "no go".  Thissounds to me like a problem with earlier compatibility.  Is there
away I can overcome this.  A simple dump/restore does not solve theproblem.


You might also have to revoke all from public:

Regards,
Richard Broersma Jr.


Re: Help with privilages please

From
Tom Lane
Date:
Hilary Forbes <hforbes@dmr.co.uk> writes:
> I have an existing table suppliers and I have created a new user
> 'hilary'<br><br>
> REVOKE ALL on TABLE suppliers FROM hilary;<br><br>
> now login as hilary<br>
> SELECT * from suppliers;<br>
> and I get all the records!!!<br><br>

Most likely there's been a grant of (at least) select privilege to PUBLIC.
You'll need to revoke that if you don't want every user to have that
privilege implicitly.
        regards, tom lane


Re: Help with privilages please

From
Hilary Forbes
Date:
Tom<br /><br /> Thank you - I think that the underlying problem is that I was trying out<br /><br /> REVOKE ALL FROM
TABLEsuppliers FOR public;<br /><br /> then connect as hilary and I can still see the table rows.<br /><br /> I appear
tohave to revoke each type eg<br /> REVOKE SELECT FROM TABLE suppliers FOR public;<br /> etc and then the code
works.<br/><br /> Is this a known bug in this version (7.4.1)?<br /><br /> Thanks<br /> Hilary<br /><br /><br /> At
18:0820/07/2006 -0400, Tom Lane wrote:<br /><br /><blockquote cite="cite" class="cite" type="cite">Hilary Forbes
<hforbes@dmr.co.uk>writes:<br /> > I have an existing table suppliers and I have created a new user<br /> >
'hilary'<br><br><br/> > REVOKE ALL on TABLE suppliers FROM hilary;<br><br><br /> > now
loginas hilary<br><br /> > SELECT * from suppliers;<br><br /> > and I get all the
records!!!<br><br><br/><br /> Most likely there's been a grant of (at least) select privilege to PUBLIC.<br
/>You'll need to revoke that if you don't want every user to have that<br /> privilege implicitly.<br /><br />
                        regards,tom lane<br /><br /> ---------------------------(end of
broadcast)---------------------------<br/> TIP 6: explain analyze is your friend</blockquote><p> Hilary Forbes<br />
DMRLimited (UK registration 01134804) <br /> A DMR Information and Technology Group company (<a eudora="autourl"
href="http://www.dmr.co.uk/"><fontcolor="#0000FF"><u>www.dmr.co.uk</u></font></a>) <br /> Direct tel 01689 889950 Fax
01689860330 <br /> DMR is a UK registered trade mark of DMR Limited<br />
**********************************************************

Re: Help with privilages please

From
"Andrew Hammond"
Date:
7.4.1 is quite old and has a number of serious known bugs. I'd suggest
you either upgrade to 8.1.4 (current) or, if you can't do that, at
least upgrade to 7.4.13 (latest 7.4) immediately.


Hilary Forbes wrote:
> Tom
>
>  Thank you - I think that the underlying problem is that I was trying out
>
>  REVOKE ALL FROM TABLE suppliers FOR public;
>
>  then connect as hilary and I can still see the table rows.
>
>  I appear to have to revoke each type eg
>  REVOKE SELECT FROM TABLE suppliers FOR public;
>  etc and then the code works.
>
>  Is this a known bug in this version (7.4.1)?
>
>  Thanks
>  Hilary
>
>
>  At 18:08 20/07/2006 -0400, Tom Lane wrote:
>
>  Hilary Forbes <hforbes@dmr.co.uk> writes:
>  > I have an existing table suppliers and I have created a new user
>  > 'hilary'<br><br>
>  > REVOKE ALL on TABLE suppliers FROM hilary;<br><br>
>  > now login as hilary<br>
>  > SELECT * from suppliers;<br>
>  > and I get all the records!!!<br><br>
>
>  Most likely there's been a grant of (at least) select privilege to PUBLIC.
>  You'll need to revoke that if you don't want every user to have that
>  privilege implicitly.
>
>                          regards, tom lane
>
>  ---------------------------(end of broadcast)---------------------------
>  TIP 6: explain analyze is your friend
>
>  Hilary Forbes
>  DMR Limited (UK registration 01134804)
>  A DMR Information and Technology Group company (_www.dmr.co.uk_)
>  Direct tel 01689 889950 Fax 01689 860330
>  DMR is a UK registered trade mark of DMR Limited
>  **********************************************************