Re: few securiry questions

R D writes:

> 1. How can I forbid to some users to create tables
> in some databases which they can acccess.

You can't. Working on that ...

> 2. How can I GRANT/REJECT some privileges on all
> objects in a database TO/FROM some users, since i
> can't type "GRANT ALL ON * TO SOMEUSER;" in PgSQL. Is
> there any functional analog?

You can't internally. You can read the list of all tables from the
pg_class system catalog and have your application issue the command GRANT
x ON table1, table2, table3, ... TO y.

> 3. How can I reject to some users connections to
> some databases from any host using password
> authentication?

You can create a separate password file for the databases and only list
the users you want in that password file. The syntax for this is
`... password filename' in pg_hba.conf. See also the pg_passwd command for
making password files.

> 4. Why this pg_hba.conf does not alow uses from
> 192.168.200.X to connect to the databases with message
> telling that there was no entry for 192.168.200.x in
> pg_hba.conf?
> # pg_hba.conf
>
> local all trust
> host all 0.0.0.0 0.0.0.0 reject
> host all 192.168.200.0 255.255.255.0 password

Because a mask of 0.0.0.0 matches every host, so the reject kicks in. The
logic here is that

({host entry} XOR {actual host}) AND {mask entry}

must be 0 for a record to match.

--
Peter Eisentraut Sernanders väg 10:115
peter_e(at)gmx(dot)net 75262 Uppsala
http://yi.org/peter-e/ Sweden