Participants
PostgreSQL Bugs List
PostgreSQL Bugs List
Antoine Reid
Antoine Reid
Robert Watson
Robert Watson
Attachments
Show all attachments
Thread Outline
#1PostgreSQL Bugs ListPostgreSQL Bugs List
Aug 25, 2000
#2Antoine ReidAntoine Reidto PostgreSQL Bugs List (#1)
Aug 25, 2000
#3Robert WatsonRobert Watsonto Antoine Reid (#2)
Aug 25, 2000

Any user able to connect to a database can create tables/etc

Started by PostgreSQL Bugs Listover 25 years ago3 messagesbugs
Jump to latest
#1PostgreSQL Bugs List
PostgreSQL Bugs List
pgsql-bugs@postgresql.org

Robert Watson (robert@fledge.watson.org) reports a bug with a severity of 2
The lower the number the more severe it is.

Short Description
Any user able to connect to a database can create tables/etc

Long Description
There is no access control mechanism by which users can be allowed
to connect to a database, but not create tables. Ideally, only the
DBA would be able to create new tables, or some ACL would exist
on the database to limit which users could create tables. As it
stands, this is a severe limitation for sites that wish to allow
mutually suspicious users to host different databases on the same
backend.

One solution might be to add an ACL to the database itself
enumerating various rights for various principals, including:

connect (can connect to the database at all)
create (can create tables, views, et al)
delete (can delete tables, views, et al)

You could imagine other rights being necessary or useful also.
This type of feature would make PostgreSQL far more useful in
ISP/ASP environments.

Sample Code

No file was uploaded with this report

#2Antoine Reid
Antoine Reid
antoiner@hansonpublications.com
In reply to: PostgreSQL Bugs List (#1)
Re: Any user able to connect to a database can create tables/etc

On Fri, Aug 25, 2000 at 03:47:16PM -0400, pgsql-bugs@postgresql.org wrote:

Robert Watson (robert@fledge.watson.org) reports a bug with a severity of 2
The lower the number the more severe it is.

Short Description
Any user able to connect to a database can create tables/etc

[snip]

connect (can connect to the database at all)
create (can create tables, views, et al)
delete (can delete tables, views, et al)

^^^^^^
Shouldn't this one be called 'drop' privilege?

This is something I would also like to have. It is to be noted that another
opensource project (that we all know about..) supports that... :->

There might be a workaround that I am not aware of either... (and if so,
I'd like to hear it!)

just my 1/50$
antoine

--
o Antoine Reid o> Alcohol and calculus <o>
<|> antoiner@hansonpublications.com <| don't mix. Never drink |

Show quoted text

\ antoiner@edmarketing.com >\ and derive. /<

#3Robert Watson
Robert Watson
robert@fledge.watson.org
In reply to: Antoine Reid (#2)
Re: Any user able to connect to a database can create tables/etc

On Fri, 25 Aug 2000, Antoine Reid wrote:

connect (can connect to the database at all)
create (can create tables, views, et al)
delete (can delete tables, views, et al)

^^^^^^
Shouldn't this one be called 'drop' privilege?

Yup, it should be. I got distracted while filling out the form and typed
in the wrong thing on returning.

This is something I would also like to have. It is to be noted that
another opensource project (that we all know about..) supports that...
:->

There might be a workaround that I am not aware of either... (and if so,
I'd like to hear it!)

Sounds good to me.

I'd also like to see support for UNIX domain sockets credential passing
authentication for local database connections sometime, but I haven't had
a chance to hack on that at all. In the mean time, I've been forcing
local connections to use TCP/IP via PGHOST=localhost and using identd,
disabling the trust setting, but that's not really ideal.

Robert N M Watson

robert@fledge.watson.org http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

← Back to Topics