| From: | Rob Sargent <robjsargent(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "pgsql-generallists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: connect permission based on database name |
| Date: | 2022-05-25 14:38:31 |
| Message-ID: | cb6ebae1-2ee9-df60-54b7-00d0f4810850@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 5/25/22 08:20, Tom Lane wrote:
> Rob Sargent<robjsargent(at)gmail(dot)com> writes:
>> Just wondering if I've bumped into some security issue.
>> I'm somewhat surprised that "grant connect to database <dbname> to
>> <role>" appears to be stored "by name"?
> I think you are forgetting that databases have a default GRANT CONNECT
> TO PUBLIC. You need to revoke that before other grants/revokes will
> have any functional effect.
>
> regards, tom lane
And then the search path is "just a string"?
psql --user oldrole --dbname newdb --host $DBHOST
psql (12.11, server 12.7)
SSL connection (protocol: TLSv1.2, cipher:
ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
newdb=> show search_path;
search_path
--------------------
study, base, public
(1 row)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2022-05-25 14:44:18 | Re: connect permission based on database name |
| Previous Message | Tom Lane | 2022-05-25 14:38:24 | Re: existing row not found by SELECT ... WHERE CTID = ? |