Re: Permissions on non-owned database

Lists: pgsql-general
From: Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua>
To: pgsql-general(at)postgresql(dot)org
Subject: Permissions on non-owned database
Date: 2002-01-23 10:39:27
Message-ID: 179613338423.20020123123927@al.org.ua
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

Hello

I have a strange problem and cannot realize is it really true.
There are 2 problems - first one is that any user can create table
(or probably any other object) in non-owned database.
The second is that any postgres user can create object in template1
database. I've used 7.0.2 and never seen such problems.
The postgres 7.1.3 was installed from scratch and nothing was changed
from default configuration - I've only created 2 users + one db and
check the situation.

Can somebody tell me what may be a problem here ?

thanks,
--
Dimitry

From: Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Permissions on non-owned database
Date: 2002-01-23 14:09:10
Message-ID: 322511041.20020123160910@al.org.ua
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

Sorry, guys - is also happens under 7.0.2
So I still have only one question - HOW CAN I GET OVER THAT ?

Wednesday, January 23, 2002, 12:38:27 PM, Dmitry Alyabyev wrote:

> Hello

> I have a strange problem and cannot realize is it really true.
> There are 2 problems - first one is that any user can create table
> (or probably any other object) in non-owned database.
> The second is that any postgres user can create object in template1
> database. I've used 7.0.2 and never seen such problems.
> The postgres 7.1.3 was installed from scratch and nothing was changed
> from default configuration - I've only created 2 users + one db and
> check the situation.

> Can somebody tell me what may be a problem here ?

> thanks,

--
Dimitry

From: Stephan Szabo <sszabo(at)megazone23(dot)bigpanda(dot)com>
To: Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua>
Cc: <pgsql-general(at)postgresql(dot)org>
Subject: Re: Permissions on non-owned database
Date: 2002-01-23 16:18:34
Message-ID: 20020123081607.B18169-100000@megazone23.bigpanda.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

On Wed, 23 Jan 2002, Dmitry Alyabyev wrote:

> Hello
>
> I have a strange problem and cannot realize is it really true.
> There are 2 problems - first one is that any user can create table
> (or probably any other object) in non-owned database.
> The second is that any postgres user can create object in template1
> database. I've used 7.0.2 and never seen such problems.
> The postgres 7.1.3 was installed from scratch and nothing was changed
> from default configuration - I've only created 2 users + one db and
> check the situation.
>
> Can somebody tell me what may be a problem here ?

Right now there's no permissions for preventing creation in a database you
can connect to. If the user doesn't need to be able to connect to the
database in question, you can remove their access to it via your
pg_hba.conf file.

From: Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua>
To: Stephan Szabo <sszabo(at)megazone23(dot)bigpanda(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Permissions on non-owned database
Date: 2002-01-23 16:37:23
Message-ID: 4411350304.20020123183723@al.org.ua
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote:

> Right now there's no permissions for preventing creation in a database you
> can connect to. If the user doesn't need to be able to connect to the
> database in question, you can remove their access to it via your
> pg_hba.conf file.

How can I separate these users if they are connecting from one IP ?
Using ident auth isn't secure enough, imho

--
Dimitry

From: Doug McNaught <doug(at)wireboard(dot)com>
To: Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua>
Cc: Stephan Szabo <sszabo(at)megazone23(dot)bigpanda(dot)com>, pgsql-general(at)postgresql(dot)org
Subject: Re: Permissions on non-owned database
Date: 2002-01-23 17:13:06
Message-ID: m3d701c7od.fsf@varsoon.denali.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua> writes:

> Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote:
>
> > Right now there's no permissions for preventing creation in a database you
> > can connect to. If the user doesn't need to be able to connect to the
> > database in question, you can remove their access to it via your
> > pg_hba.conf file.
>
> How can I separate these users if they are connecting from one IP ?
> Using ident auth isn't secure enough, imho

If they're on a different host, and you're not willing to trust
ident, I think some kind of password auth is the only way to go.

-Doug
--
Let us cross over the river, and rest under the shade of the trees.
--T. J. Jackson, 1863

From: Stephan Szabo <sszabo(at)megazone23(dot)bigpanda(dot)com>
To: Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua>
Cc: <pgsql-general(at)postgresql(dot)org>
Subject: Re: Permissions on non-owned database
Date: 2002-01-23 17:42:48
Message-ID: 20020123094145.K19046-100000@megazone23.bigpanda.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general


On Wed, 23 Jan 2002, Dmitry Alyabyev wrote:

> Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote:
>
> > Right now there's no permissions for preventing creation in a database you
> > can connect to. If the user doesn't need to be able to connect to the
> > database in question, you can remove their access to it via your
> > pg_hba.conf file.
>
> How can I separate these users if they are connecting from one IP ?
> Using ident auth isn't secure enough, imho

Probably password or crypt with per database password files.

From: Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua>
To: Doug McNaught <doug(at)wireboard(dot)com>
Cc: Stephan Szabo <sszabo(at)megazone23(dot)bigpanda(dot)com>, pgsql-general(at)postgresql(dot)org
Subject: Re: Permissions on non-owned database
Date: 2002-01-23 18:58:27
Message-ID: 33480065.20020123205827@al.org.ua
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

Wednesday, January 23, 2002, 7:13:06 PM, Doug McNaught wrote:

> Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua> writes:

>> Wednesday, January 23, 2002, 6:18:34 PM, Stephan Szabo wrote:
>>
>> > Right now there's no permissions for preventing creation in a database you
>> > can connect to. If the user doesn't need to be able to connect to the
>> > database in question, you can remove their access to it via your
>> > pg_hba.conf file.
>>
>> How can I separate these users if they are connecting from one IP ?
>> Using ident auth isn't secure enough, imho

> If they're on a different host, and you're not willing to trust
> ident, I think some kind of password auth is the only way to go.

No, I'm talking about remove their access to some db's via pg_hba.conf

--
Dimitry

From: Doug McNaught <doug(at)wireboard(dot)com>
To: Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua>
Cc: Stephan Szabo <sszabo(at)megazone23(dot)bigpanda(dot)com>, pgsql-general(at)postgresql(dot)org
Subject: Re: Permissions on non-owned database
Date: 2002-01-28 02:44:16
Message-ID: m3k7u3b3en.fsf@varsoon.denali.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-general

Dmitry Alyabyev <dimitry(at)al(dot)org(dot)ua> writes:

> > If they're on a different host, and you're not willing to trust
> > ident, I think some kind of password auth is the only way to go.
>
> No, I'm talking about remove their access to some db's via pg_hba.conf

Well, in order to do that securely, you have to know who they are; this
requires identd, peer or password authentication.

-Doug
--
Let us cross over the river, and rest under the shade of the trees.
--T. J. Jackson, 1863