Re: Hot to restrict access to subset of data

On 7/4/05, Gregory Youngblood <pgcluster(at)netio(dot)org> wrote:
> I would strongly suggest that you create a database specific user,
> one that has read/write access within this database, and that your
> application use that user instead of the pg super user.
>
> In general, the "super user" should never be used, except for
> specific administrative tasks. This holds true for Windows
> Administrator, Unix root, and postgresql's postgres users. If your
> application runs under a single user to the database, then that
> single user should be one that you create specifically for that
> purpose, and not the postgres user.

Exactly. And the reasons are quite important also. PostgreSQL
superuser has right to run unsecure scripts. Let's assume the
unlikely situation that someone finds a hole in your page which
will allow her to do some SQL injections/etc.The "normal" user
is limited to what that user can do. In your case, probably wipe
out much of data. But superuser has right to make scripts
which are unsafe. In other words -- has right to execute almost
any command in name of UNIX postgres user. If abuser is skillful,
she can run some local root exploit and gain root priveleges,
assuming there is some local hole open. When using "normal"
user (who owns all the tables and so on; so is not limited from
point of view of application), it would be (much) harder for her
to gain such an access.

Regards,
Dawid