Skip site navigation (1) Skip section navigation (2)

Re: Re: grant privileges to a database

From: GH <grasshacker(at)over-yonder(dot)net>
To: Dan Wilson <phpPgAdmin(at)acucore(dot)com>
Cc: "Martin A(dot) Marques" <martin(at)math(dot)unl(dot)edu(dot)ar>, Michael Fork <mfork(at)toledolink(dot)com>, pgsql-hackers(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org
Subject: Re: Re: grant privileges to a database
Date: 2001-01-31 23:44:28
Message-ID: 20010131174428.B26368@over-yonder.net (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-hackers
On Wed, Jan 31, 2001 at 03:39:46PM -0700, some SMTP stream spewed forth: 
> : El Mié 31 Ene 2001 18:32, Dan Wilson escribió:
> : > You can do this in phpPgAdmin... it's a hack because it just pulls in
> all
> : > the objects/relations and runs a single grant statement on them, but it
> : > works.  It puts together a query like the following:
> : >
> : > GRANT ALL ON table1, table2, table3, view1, view2, sequence1, sequence2
> TO
> : > user
> : >
> : > Which I suppose you can do manually if you don't have phpPgAdmin
> installed.
> : >
> : > It ain't the prettiest, but it works!
> :
> : The problem is that this is not what I'm looking for. I want the user to
> be
> : able to create new tables, views, sequences, etc on that database.
> 
> Oh, if you want to do that, then you don't have to do any granting of
> priviledges.  It seems that Postgres allows any user to create a table on a

Er, to delete anything, the user would need to be a superuser.
Else, nyet, not necessary.

> database.  Even if the user is not the owner of the database.  AFAIK, there
> are no acl's associated with the database.

For the heck of it, I will certify that this is correct.

> 
> I've posed this question before and have not received any response, but is
> this an undocumented feature or a sercurity bug?  Personally, I don't think
> anyone should be able to create relations on a database they do not own.

It is both, depending on how you use it. ;-)

I would and do consider it a blindingly silly security risk, but 
apparently nobody else does. I asked before, but...
Just why the hell would somebody want *any* user of *any* database to be 
able to *create* anything under *any* other database?!?


dan

;-)

> 
> -Dan
> 

In response to

pgsql-hackers by date

Next:From: Mike MillerDate: 2001-02-01 00:23:10
Subject: Re: Re: grant privileges to a database [URGENT]
Previous:From: Steve ShafferDate: 2001-01-31 22:58:06
Subject: ODBC Problem v7.1 beta4

pgsql-general by date

Next:From: Geoff RussellDate: 2001-02-01 00:01:31
Subject: Re: Grant privileges to database
Previous:From: GHDate: 2001-01-31 23:38:08
Subject: Re: Re: php as stored procedures

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group