Thread

  1. Any user able to connect to a database can create tables/etc

    PostgreSQL Bugs List <pgsql-bugs@postgresql.org> — 2000-08-25T19:47:16Z

    Robert Watson (robert@fledge.watson.org) reports a bug with a severity of 2
    The lower the number the more severe it is.
    
    Short Description
    Any user able to connect to a database can create tables/etc
    
    Long Description
    There is no access control mechanism by which users can be allowed
    to connect to a database, but not create tables.  Ideally, only the
    DBA would be able to create new tables, or some ACL would exist
    on the database to limit which users could create tables.  As it
    stands, this is a severe limitation for sites that wish to allow
    mutually suspicious users to host different databases on the same
    backend.
    
    One solution might be to add an ACL to the database itself
    enumerating various rights for various principals, including:
    
    connect (can connect to the database at all)
    create (can create tables, views, et al)
    delete (can delete tables, views, et al)
    
    You could imagine other rights being necessary or useful also.
    This type of feature would make PostgreSQL far more useful in
    ISP/ASP environments.
    
    
    Sample Code
    
    
    No file was uploaded with this report
    
    
    
  2. Re: Any user able to connect to a database can create tables/etc

    Antoine Reid <antoiner@hansonpublications.com> — 2000-08-25T20:19:11Z

    On Fri, Aug 25, 2000 at 03:47:16PM -0400, pgsql-bugs@postgresql.org wrote:
    > Robert Watson (robert@fledge.watson.org) reports a bug with a severity of 2
    > The lower the number the more severe it is.
    > 
    > Short Description
    > Any user able to connect to a database can create tables/etc
    [snip]
    > 
    > connect (can connect to the database at all)
    > create (can create tables, views, et al)
    > delete (can delete tables, views, et al)
      ^^^^^^
    Shouldn't this one be called 'drop' privilege?
    
    This is something I would also like to have.  It is to be noted that another
    opensource project (that we all know about..) supports that... :->
    
    There might be a workaround that I am not aware of either... (and if so,
    I'd like to hear it!)
    
    just my 1/50$
    antoine
    
    -- 
     o          Antoine Reid             o>    Alcohol and calculus   <o>
    <|> antoiner@hansonpublications.com <|    don't mix. Never drink   |
     >\    antoiner@edmarketing.com      >\         and derive.       /<
    
    
  3. Re: Any user able to connect to a database can create tables/etc

    Robert Watson <robert@fledge.watson.org> — 2000-08-25T20:40:25Z

    On Fri, 25 Aug 2000, Antoine Reid wrote:
    
    > > connect (can connect to the database at all)
    > > create (can create tables, views, et al)
    > > delete (can delete tables, views, et al)
    >   ^^^^^^
    > Shouldn't this one be called 'drop' privilege?
    
    Yup, it should be.  I got distracted while filling out the form and typed
    in the wrong thing on returning.
    
    > This is something I would also like to have.  It is to be noted that
    > another opensource project (that we all know about..) supports that...
    > :->
    > 
    > There might be a workaround that I am not aware of either... (and if so,
    > I'd like to hear it!) 
    
    Sounds good to me.
    
    I'd also like to see support for UNIX domain sockets credential passing
    authentication for local database connections sometime, but I haven't had
    a chance to hack on that at all.  In the mean time, I've been forcing
    local connections to use TCP/IP via PGHOST=localhost and using identd,
    disabling the trust setting, but that's not really ideal.
    
      Robert N M Watson 
    
    robert@fledge.watson.org              http://www.watson.org/~robert/
    PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
    TIS Labs at Network Associates, Safeport Network Services