dissallowing access to databases
Hello.
How can I prevent user from connecting to certain databases?
For example:
user1 has database user1. But he can easily do '\c otherdb' to connect
to a database own by other user.
And what scares me most, he cat create his own tables in this
database(!!)
In my pg_hba.conf I have a line:
local all crypt
which (IMO) means that any user can connect to any database. How to
change this to allow users connect *only* to their db?
PS. Forgive, if the question is obvious. Just point me to the right
explanation in the doc/faq.
--
greetings,
Pawel Zaorski
http://sky.pl
zaor@sky.pl (Pawel Zaorski) writes:
Hello.
How can I prevent user from connecting to certain databases?
For example:
user1 has database user1. But he can easily do '\c otherdb' to connect
to a database own by other user.
And what scares me most, he cat create his own tables in this
database(!!)In my pg_hba.conf I have a line:
local all crypt
which (IMO) means that any user can connect to any database. How to
change this to allow users connect *only* to their db?
That the user can connect to other databases, indicates that you have
created that user as a superuser, i.e. he have permission to create
new postgres users. If the user is not a superuser, he shouldn't be
able to connect to other databases, than the ones he own or have
explicit permission to.
Tomas
Import Notes
Reply to msg id not found: zaor@sky.pl'smessageofSun15Oct2000123055+0200
Pawel,
How can I prevent user from connecting to certain databases?
IIRC, users are server-wide, so there's no way to. To protect your tables,
you normally do something like:
create table blabla(
<...>
);
revoke all on blabla from public;
grant select on blabla to blabla_user;
As long as data dictionary is also kept in relations, you should be able
to protect it that way, too. It seems that only DB superusers and owners
have insert/delete rights on data dictionary.
Ed
---
Well I tried to be meek
And I have tried to be mild
But I spat like a woman
And I sulked like a child
I have lived behind the walls
That have made me alone
Striven for peace
Which I never have known
Dire Straits, Brothers In Arms, The Man's Too Strong (Knopfler)
That the user can connect to other databases, indicates that you have
created that user as a superuser
Works perfectly for a simple mortal here. Moreof, a user can create his
tables:
copl=# select * from pg_shadow where usename = 'cdl_user';
usename | cdl_user
usesysid | 307
usecreatedb | f
usetrace | f
usesuper | f
usecatupd | f
passwd |
valuntil |
copl=# \c copl cdl_user
You are now connected to database copl as user cdl_user.
copl=> \dt
Name | copl_global
Type | table
Owner | root
------+------------
Name | ours_hints
Type | table
Owner | root
------+------------
Name | ours_refs
Type | table
Owner | root
------+------------
Name | ours_users
Type | table
Owner | root
copl=> select * from copl_global;
ERROR: copl_global: Permission denied.
copl=> create table test( id int4 );
CREATE
copl=> drop table test;
DROP
copl=> \c mailarch cdl_user
You are now connected to database mailarch as user cdl_user.
mailarch=> \dt
Name | messages
Type | table
Owner | root
mailarch=> select * from messages;
ERROR: messages: Permission denied.
mailarch=> create table test( id int4 );
CREATE
mailarch=> drop table test;
DROP
Am I missing something?
TIA
Ed
---
Well I tried to be meek
And I have tried to be mild
But I spat like a woman
And I sulked like a child
I have lived behind the walls
That have made me alone
Striven for peace
Which I never have known
Dire Straits, Brothers In Arms, The Man's Too Strong (Knopfler)
CREATE TABLE is not considered to be an access violation; we have no
concept of read-only access to a whole database, only to individual
tables.
If you want to restrict each user to connect only to his own database,
there's an option for that in pg_hba.conf:
# host DBNAME IP_ADDRESS ADDRESS_MASK AUTHTYPE [AUTH_ARGUMENT]
#
# DBNAME is the name of a PostgreSQL database, "all" to indicate all
# databases, or "sameuser" to restrict a user's access to a database with
# the same user name.
If that's not flexible enough for you, allowing a particular subset of
users to connect to a particular database is possible but tedious.
One way is to set up a separate password file for each such DB, and use
password authentication that specifies the alternate password file ---
ie, a separate pg_hba.conf line for each such DB, with the allowed users
listed in a separate file per DB. Another way is to use ident
authentication, specifying a separate "ident map name" for each DB,
and listing the allowed users for each DB under that map name.
This could stand to be improved; there's no comparable facility for
Kerberos auth methods.
regards, tom lane
Sun, Oct 15, 2000 at 11:56:01AM -0400, Tom Lane wrote:
If you want to restrict each user to connect only to his own database,
there's an option for that in pg_hba.conf:
Thanks, that solves my problem.
I missunderstood the option 'sameuser'.
--
greets,
Pawel Zaorski
http://sky.pl