Participants
Boszormenyi Zoltan
Boszormenyi Zoltan
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Boszormenyi ZoltanBoszormenyi Zoltan
Dec 19, 2008
#2Tom LaneTom Laneto Boszormenyi Zoltan (#1)
Dec 19, 2008
#3Boszormenyi ZoltanBoszormenyi Zoltanto Tom Lane (#2)
Dec 19, 2008

REVOKE CONNECT doesn't work in 8.3.5

Started by Boszormenyi Zoltanover 17 years ago3 messagesgeneral
Jump to latest
#1Boszormenyi Zoltan
Boszormenyi Zoltan
zb@cybertec.at

Hi,

It seems REVOKE CONNECT doesn't work as advertised.
I have "trust" entries in pg_hba.conf because my machine is closed.
I added some PG users, and one of them was used in:

REVOKE CONNECT ON DATABASE zozo FROM hs;

However, user "hs" can happily connect to database "zozo"
despite the REVOKE. Documentation says at
http://www.postgresql.org/docs/8.3/interactive/sql-grant.html :

CONNECT
Allows the user to connect to the specified database.
This privilege is checked at connection startup (in addition to checking
any restrictions imposed by pg_hba.conf).

To me, this means that REVOKE CONNECT is a veto over "trust".
Is it not?

Best regards,
Zolt�n B�sz�rm�nyi

--
Bible has answers for everything. Proofs:
"But let your communication be, Yea, yea; Nay, nay: for whatsoever is more
than these cometh of evil." (Matthew 5:37) - basics of digital technology.
"May your kingdom come" - superstitious description of plate tectonics

----------------------------------
Zolt�n B�sz�rm�nyi
Cybertec Sch�nig & Sch�nig GmbH
http://www.postgresql.at/

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Boszormenyi Zoltan (#1)
Re: REVOKE CONNECT doesn't work in 8.3.5

Zoltan Boszormenyi <zb@cybertec.at> writes:

I have "trust" entries in pg_hba.conf because my machine is closed.
I added some PG users, and one of them was used in:

REVOKE CONNECT ON DATABASE zozo FROM hs;

However, user "hs" can happily connect to database "zozo"
despite the REVOKE.

Unless you had previously done a specific GRANT CONNECT TO hs,
the above command doesn't do a darn thing. The privilege that
actually exists by default is a grant of connect to PUBLIC.
What you need to do is REVOKE FROM PUBLIC, and then GRANT to
whichever users/groups you want to allow to connect.

regards, tom lane

#3Boszormenyi Zoltan
Boszormenyi Zoltan
zb@cybertec.at
In reply to: Tom Lane (#2)
Re: REVOKE CONNECT doesn't work in 8.3.5

Tom Lane �rta:

Zoltan Boszormenyi <zb@cybertec.at> writes:

I have "trust" entries in pg_hba.conf because my machine is closed.
I added some PG users, and one of them was used in:

REVOKE CONNECT ON DATABASE zozo FROM hs;

However, user "hs" can happily connect to database "zozo"
despite the REVOKE.

Unless you had previously done a specific GRANT CONNECT TO hs,
the above command doesn't do a darn thing. The privilege that
actually exists by default is a grant of connect to PUBLIC.
What you need to do is REVOKE FROM PUBLIC, and then GRANT to
whichever users/groups you want to allow to connect.

regards, tom lane

Thanks very much for the clarification. The documentation
doesn't spell it out as clearly. Another possibility is that
I can't read and interpret correctly. :-)

--
Bible has answers for everything. Proofs:
"But let your communication be, Yea, yea; Nay, nay: for whatsoever is more
than these cometh of evil." (Matthew 5:37) - basics of digital technology.
"May your kingdom come" - superstitious description of plate tectonics

----------------------------------
Zolt�n B�sz�rm�nyi
Cybertec Sch�nig & Sch�nig GmbH
http://www.postgresql.at/

← Back to Topics