| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "David Johnston" <polobo(at)yahoo(dot)com> |
| Cc: | "'Vincent de Phily'" <vincent(dot)dephily(at)mobile-devices(dot)fr>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Privilege on schema 'public' not revokable |
| Date: | 2012-02-29 19:14:19 |
| Message-ID: | 5055.1330542859@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"David Johnston" <polobo(at)yahoo(dot)com> writes:
> [mailto:pgsql-general-owner(at)postgresql(dot)org] On Behalf Of Vincent de Phily
>> [ this doesn't do anything: ]
>> db_foo=# REVOKE CREATE ON SCHEMA public FROM foouser;
> "foouser" is obtaining its permission to "CREATE" on the "public " schema
> via global/PUBLIC permissions (i.e., via inheritance). Revoking only
> removes an explicitly granted permission but does not institute a block for
> an inherited permission. You would need to revoke the global permission to
> CREATE on "public" and then only GRANT it back to those users/roles that you
> wish to have it - all others will then effectively lose that ability.
Correct. Note where it says in the GRANT manual page that a user's
effective rights are the sum of those granted to PUBLIC, those granted
directly to him, and those granted to roles he is a member of. Rights
granted to PUBLIC are available to everybody, full stop, and can't be
selectively blocked.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ben Chobot | 2012-02-29 19:44:10 | Re: Re: One transaction by connection - commit subdetails without release master transaction? |
| Previous Message | Raymond O'Donnell | 2012-02-29 19:07:16 | Re: Calling Functions With OUT paramaters |