Re: Curious case of the unstoppable user

From: Guillaume Lelarge <guillaume(at)lelarge(dot)info>
To: Thom Brown <thom(at)linux(dot)com>
Cc: PGSQL Mailing List <pgsql-general(at)postgresql(dot)org>
Subject: Re: Curious case of the unstoppable user
Date: 2011-03-29 20:59:18
Message-ID: 4D924826.2090907@lelarge.info
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Le 29/03/2011 20:44, Thom Brown a écrit :
> Hi all,
>
> I've just set up a test user, revoked all access from them to a
> database, then tried to connect to that database and it let me in.
> When I try it all from scratch, it works correctly.
>
> Here's the set running correctly:
>
> postgres=# CREATE DATABASE testdb;
> CREATE DATABASE
> postgres=# CREATE ROLE testrole;
> CREATE ROLE
> postgres=# REVOKE ALL ON DATABASE testdb FROM testrole CASCADE;
> REVOKE
> postgres=# \c testdb testrole
> FATAL: role "testrole" is not permitted to log in
> Previous connection kept
>

This is because you created a role without the login attribute. IOW, it
has nothing to do with your REVOKE statement. Proof:

postgres=# CREATE DATABASE testdb;
CREATE DATABASE
postgres=# CREATE ROLE testrole;
CREATE ROLE
postgres=# \c testdb testrole
FATAL: role "testrole" is not permitted to log in
Previous connection kept

> But now if I try something similar with an existing user and existing
> database, it doesn't work:
>
> postgres=# REVOKE ALL ON DATABASE stuff FROM meow CASCADE;
> REVOKE
> postgres=# \c stuff meow
> You are now connected to database "stuff" as user "meow".
>
> So, I'm overlooking something. Could someone tell me what it is? I
> bet it's something obvious. I'm using 9.1dev if it's relevant.
>

Yeah. You probably created meow as a user, with is a role with the login
attribute. The \dg+ metacommand tells us exactly that:

> stuff=> \dg+
> List of roles
> Role name | Attributes | Member
> of | Description
> -----------+------------------------------------------------+-----------+-------------
> meow | | {} |
> testrole | Cannot login | {} |
> thom | Superuser, Create role, Create DB, Replication | {} |

So:

postgres=# CREATE USER meow;
CREATE ROLE
postgres=# \c testdb meow
You are now connected to database "testdb" as user "meow".

Now, you not only need to revoke connect permission to meow. You need to
do it to public too:

testdb=> \c testdb postgres
You are now connected to database "testdb" as user "postgres".
testdb=# REVOKE ALL ON DATABASE testdb FROM meow CASCADE;
REVOKE
testdb=# \c testdb meow
You are now connected to database "testdb" as user "meow".

Same result as you. Now, revoke connect permission to public:

testdb=> \c testdb postgres
You are now connected to database "testdb" as user "postgres".
testdb=# REVOKE ALL ON DATABASE testdb FROM PUBLIC CASCADE;
REVOKE
testdb=# \c testdb meow
FATAL: permission denied for database "testdb"
DETAIL: User does not have CONNECT privilege.
Previous connection kept

Cheers.

--
Guillaume
http://www.postgresql.fr
http://dalibo.com

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Thom Brown 2011-03-29 21:12:43 Re: Curious case of the unstoppable user
Previous Message Thom Brown 2011-03-29 20:56:39 Re: Curious case of the unstoppable user