| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Craig Ringer <ringerc(at)ringerc(dot)id(dot)au> |
| Cc: | David Fetter <david(at)fetter(dot)org>, PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: "default deny" for roles |
| Date: | 2012-08-29 01:32:40 |
| Message-ID: | 503D7138.2030008@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 08/28/2012 09:09 PM, Craig Ringer wrote:
> On 08/29/2012 01:25 AM, David Fetter wrote:
>> Folks,
>>
>> There are situations where a "default deny" policy is the best fit.
>>
>> To that end, I have a modest proposal:
>>
>> REVOKE PUBLIC FROM role;
>>
>> Thenceforth, the role in question would only have access to things it
>> was specifically granted.
>
> Wouldn't that render the user utterly unable to do anything until you
> added a bunch of GRANTs on the system catalogs for that user or a
> group they're a member of?
No.
Try it and see. You can do a lot without having any access rights at all
to the catalog tables.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2012-08-29 01:46:00 | Re: MySQL search query is not executing in Postgres DB |
| Previous Message | Tatsuo Ishii | 2012-08-29 01:25:27 | Re: 64-bit API for large object |