Thread: [BUGS] BUG #14828: Security isn't working

The following bug has been logged on the website:

Bug reference:      14828
Logged by:          Randy Grolemund
Email address:      randygrolemund@gmail.com
PostgreSQL version: 9.6.5
Operating system:   Linux
Description:

Another team member created a new db, and did not assign any users
permission to that db. It appears at least one of the users (no super user
permissions) can read and write to that db. It doesn't make any sense how
this is working.


--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

randygrolemund@gmail.com writes:
> Another team member created a new db, and did not assign any users
> permission to that db. It appears at least one of the users (no super user
> permissions) can read and write to that db. It doesn't make any sense how
> this is working.

Well, as noted in the GRANT reference page, the default for a new database
is to grant CONNECT privilege to PUBLIC; if you don't like that you need
to revoke it, or (usually less desirable) use pg_hba.conf rules to
restrict access.  Depending on how much you want to lock down access,
you might also want to revoke TEMP privilege and/or remove or restrict
the "public" schema within that database.

If none of those are the problem then you need to provide considerably
more detail.  But so far I see nothing here that sounds like it's not
operating as designed.

https://www.postgresql.org/docs/current/static/bug-reporting.html
        regards, tom lane


-- 
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs