Re: postgres db permissions

Your problem is probably the "INHERIT" and
GRANT dbA TO bob;
GRANT dbA_ro TO bob;
GRANT dbB TO bob;
GRANT dbB_ro TO bob;

options. If any of the dbA's have the permission to CREATE tables (and I
suspect they do), so will bob.

On Tue, Jun 2, 2015 at 1:50 PM, Steve Pribyl <Steve(dot)Pribyl(at)akunacapital(dot)com>
wrote:

> Josh,
>
> Via psql:
> CREATE ROLE bob LOGIN
> NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
> GRANT dbA TO bob;
> GRANT dbA_ro TO bob;
> GRANT dbB TO bob;
> GRANT dbB_ro TO bob;
>
> dbA, dbA_ro, dbB, and dbB_ro are roles.
>
> I have not created any database yet or assigned permissions to the roles.
>
> Steve Pribyl
>
>
>
> ________________________________________
> From: pgsql-general-owner(at)postgresql(dot)org <
> pgsql-general-owner(at)postgresql(dot)org> on behalf of Joshua D. Drake <
> jd(at)commandprompt(dot)com>
> Sent: Tuesday, June 2, 2015 12:44 PM
> To: pgsql-general(at)postgresql(dot)org
> Subject: Re: [GENERAL] postgres db permissions
>
> On 06/02/2015 10:36 AM, Steve Pribyl wrote:
> >
> > Good Afternoon,
> >
> > Built a fresh 9.3. postgres server and added some users and noticed that
> any user can create tables in any database including the postgres database
> by default.
> >
> > Have I missed some step in securing the default install?
>
> How exactly did you add the users?
>
> JD
>
>
>
> --
> Command Prompt, Inc. - http://www.commandprompt.com/ 503-667-4564
> PostgreSQL Centered full stack support, consulting and development.
> Announcing "I'm offended" is basically telling the world you can't
> control your own emotions, so everyone else should do it for you.
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
> ________________________________
> [http://www.akunacapital.com/images/akuna.png]
> Steve Pribyl | Senior Systems Engineer
> Akuna Capital LLC
> 36 S Wabash, Suite 310 Chicago IL 60603 USA | www.akunacapital.com <
> http://www.akunacapital.com>
> p: +1 312 994 4646 | m: 847-343-2349 | f: +1 312 750 1667 |
> Steve(dot)Pribyl(at)akunacapital(dot)com
>
> Please consider the environment, before printing this email.
>
> This electronic message contains information from Akuna Capital LLC that
> may be confidential, legally privileged or otherwise protected from
> disclosure. This information is intended for the use of the addressee only
> and is not offered as investment advice to be relied upon for personal or
> professional use. Additionally, all electronic messages are recorded and
> stored in compliance pursuant to applicable SEC rules. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, printing or any other use of, or any action in reliance on,
> the contents of this electronic message is strictly prohibited. If you have
> received this communication in error, please notify us by telephone at
> (312)994-4640 and destroy the original message.
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

--
*Melvin Davidson*
I reserve the right to fantasize. Whether or not you
wish to share my fantasy is entirely up to you.