User privileges-verification required
Hello all,
While playing around with database users, I noticed one odd thing
regarding user privileges.
In case I have only one user in my database who is also the DBSystem
(who carries out initdb), user then if that user takes away his
"createuser" privileges, he is unable to grant himself that privilege
again or grant that privilege to any other user that he creates.This
creates quite a fix since you end up with no superusers, nor a way to
create any other superusers.
In my opinion we should cater for such a situation, and two possible
solutions come to my mind for this:
1. Place a restriction that there should be more than one superuser
before you can issue a "NOCREATEUSER" command.
2 Only the DBsystemuser should be allowed to grant and revoke the
"createuser" privileges.
Let me know what you all think.
Thanks,
Nauman
Am Freitag, 24. Februar 2006 14:25 schrieb Nauman Naeem:
In case I have only one user in my database who is also the DBSystem
(who carries out initdb), user then if that user takes away his
"createuser" privileges, he is unable to grant himself that privilege
again or grant that privilege to any other user that he creates.This
creates quite a fix since you end up with no superusers, nor a way to
create any other superusers.
Shut down the server, start in single-user mode, then you can fix it.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/
I tried the single-user mode option and it worked, thanks! but, don't
you people think that we should provide this privilege in multi-user
mode as well.In accordence to my second point.
Show quoted text
On 2/24/06, Peter Eisentraut <peter_e@gmx.net> wrote:
Am Freitag, 24. Februar 2006 14:25 schrieb Nauman Naeem:
In case I have only one user in my database who is also the DBSystem
(who carries out initdb), user then if that user takes away his
"createuser" privileges, he is unable to grant himself that privilege
again or grant that privilege to any other user that he creates.This
creates quite a fix since you end up with no superusers, nor a way to
create any other superusers.Shut down the server, start in single-user mode, then you can fix it.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/
"Nauman Naeem" <nauman.naeem@gmail.com> writes:
I tried the single-user mode option and it worked, thanks! but, don't
you people think that we should provide this privilege in multi-user
mode as well.In accordence to my second point.
No. Restricting what a superuser can do is pointless --- he can always
manage to shoot himself in the foot if he tries hard enough. (Consider
eg "DELETE FROM pg_authid".) Trying to fix it in the reverse direction
(re-establishing superuser after the last one's been deleted) has
obvious security issues.
The problem comes up sufficiently seldom that the single-user-mode
backdoor seems sufficient.
regards, tom lane
In my opinion we should cater for such a situation, and two possible
solutions come to my mind for this:
I've done exactly this before, and had to use single user mode to
recover. Annoying.
1. Place a restriction that there should be more than one superuser
before you can issue a "NOCREATEUSER" command.
I agree :)
Chris
Yeah it really was :-) BTW I have implemented this for multiuser-mode as
well......Both the approaches as mentioned in my very first email...
1- The minimum super user count should not be less then 1.
2- Only the main database system owner is eligible to reassign.
My personal believe is, this minimum functionality should be a part of
multiuser mode! I was oblivious of this and did initdb twice, may be I am
dumb :-)
Thanks,
Nauman
Show quoted text
On 2/26/06, Christopher Kings-Lynne <chriskl@familyhealth.com.au> wrote:
In my opinion we should cater for such a situation, and two possible
solutions come to my mind for this:I've done exactly this before, and had to use single user mode to
recover. Annoying.1. Place a restriction that there should be more than one superuser
before you can issue a "NOCREATEUSER" command.I agree :)
Chris