| From: | "Ezra Epstein" <news-reader(at)prajnait(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Any way to have CREATEUSER privs without having all privs? |
| Date: | 2004-01-07 05:04:01 |
| Message-ID: | MOOdnUQVgI7ODmaiXTWc-g@speakeasy.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote in message
news:6596(dot)1073173257(at)sss(dot)pgh(dot)pa(dot)us(dot)(dot)(dot)
> "ezra epstein" <ee_newsgroup_post(at)prajnait(dot)com> writes:
> > Basically I want a login user that can then set session auth... to any
other
> > user but otherwise has no privs.
>
> You have not thought this through.
>
> If user X can become any other user Y, then he can do anything that is
> doable within the system. Pretending that he is not superuser is
> pointless.
>
> regards, tom lane
>
I know, I know.... It's like I want something that just isn't possible. I
want good DB-level security in the app without requiring the overhead of
per-userid login: so connection pools can work. The app could be careful
with super user... but it is probably better to just go the ordinary route
of an app account with enough privs to do everything and then have the
app/servlet container manage security.
Thanks,
== EE
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Helgason | 2004-01-07 05:22:33 | Re: SPI question (or not): trying to read from Large Objects from within a function |
| Previous Message | Ezra Epstein | 2004-01-07 05:00:10 | Re: Passing a comma delimited list to a function |