Permissions on non-owned database
Hello
I have a strange problem and cannot realize is it really true.
There are 2 problems - first one is that any user can create table
(or probably any other object) in non-owned database.
The second is that any postgres user can create object in template1
database. I've used 7.0.2 and never seen such problems.
The postgres 7.1.3 was installed from scratch and nothing was changed
from default configuration - I've only created 2 users + one db and
check the situation.
Can somebody tell me what may be a problem here ?
thanks,
--
Dimitry
Sorry, guys - is also happens under 7.0.2
So I still have only one question - HOW CAN I GET OVER THAT ?
Wednesday, January 23, 2002, 12:38:27 PM, Dmitry Alyabyev wrote:
Hello
I have a strange problem and cannot realize is it really true.
There are 2 problems - first one is that any user can create table
(or probably any other object) in non-owned database.
The second is that any postgres user can create object in template1
database. I've used 7.0.2 and never seen such problems.
The postgres 7.1.3 was installed from scratch and nothing was changed
from default configuration - I've only created 2 users + one db and
check the situation.
Can somebody tell me what may be a problem here ?
thanks,
--
Dimitry
On Wed, 23 Jan 2002, Dmitry Alyabyev wrote:
Hello
I have a strange problem and cannot realize is it really true.
There are 2 problems - first one is that any user can create table
(or probably any other object) in non-owned database.
The second is that any postgres user can create object in template1
database. I've used 7.0.2 and never seen such problems.
The postgres 7.1.3 was installed from scratch and nothing was changed
from default configuration - I've only created 2 users + one db and
check the situation.Can somebody tell me what may be a problem here ?
Right now there's no permissions for preventing creation in a database you
can connect to. If the user doesn't need to be able to connect to the
database in question, you can remove their access to it via your
pg_hba.conf file.
Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote:
Right now there's no permissions for preventing creation in a database you
can connect to. If the user doesn't need to be able to connect to the
database in question, you can remove their access to it via your
pg_hba.conf file.
How can I separate these users if they are connecting from one IP ?
Using ident auth isn't secure enough, imho
--
Dimitry
Dmitry Alyabyev <dimitry@al.org.ua> writes:
Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote:
Right now there's no permissions for preventing creation in a database you
can connect to. If the user doesn't need to be able to connect to the
database in question, you can remove their access to it via your
pg_hba.conf file.How can I separate these users if they are connecting from one IP ?
Using ident auth isn't secure enough, imho
If they're on a different host, and you're not willing to trust
ident, I think some kind of password auth is the only way to go.
-Doug
--
Let us cross over the river, and rest under the shade of the trees.
--T. J. Jackson, 1863
Import Notes
Reply to msg id not found: DmitryAlyabyev'smessageofWed23Jan2002183723+0200
On Wed, 23 Jan 2002, Dmitry Alyabyev wrote:
Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote:
Right now there's no permissions for preventing creation in a database you
can connect to. If the user doesn't need to be able to connect to the
database in question, you can remove their access to it via your
pg_hba.conf file.How can I separate these users if they are connecting from one IP ?
Using ident auth isn't secure enough, imho
Probably password or crypt with per database password files.
Wednesday, January 23, 2002, 7:13:06 PM, Doug McNaught wrote:
Dmitry Alyabyev <dimitry@al.org.ua> writes:
Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote:
Right now there's no permissions for preventing creation in a database you
can connect to. If the user doesn't need to be able to connect to the
database in question, you can remove their access to it via your
pg_hba.conf file.How can I separate these users if they are connecting from one IP ?
Using ident auth isn't secure enough, imho
If they're on a different host, and you're not willing to trust
ident, I think some kind of password auth is the only way to go.
No, I'm talking about remove their access to some db's via pg_hba.conf
--
Dimitry
Dmitry Alyabyev <dimitry@al.org.ua> writes:
If they're on a different host, and you're not willing to trust
ident, I think some kind of password auth is the only way to go.No, I'm talking about remove their access to some db's via pg_hba.conf
Well, in order to do that securely, you have to know who they are; this
requires identd, peer or password authentication.
-Doug
--
Let us cross over the river, and rest under the shade of the trees.
--T. J. Jackson, 1863
Import Notes
Reply to msg id not found: DmitryAlyabyev'smessageofWed23Jan2002205827+0200