| From: | Alex Hunsaker <badalex(at)gmail(dot)com> |
|---|---|
| To: | "Wappler, Robert" <rwappler(at)ophardt(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Restricting the CREATEROLE privilege |
| Date: | 2010-02-25 16:16:32 |
| Message-ID: | 34d269d41002250816k78f8e26fl83c74921f1ac8b3f@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, Feb 25, 2010 at 08:22, Wappler, Robert <rwappler(at)ophardt(dot)com> wrote:
> Unfortunately, base_user inherits the connect privileges from role
> PUBLIC, regardless, whether it was created with NOINHERIT.
Yeah, IMO the documentation does not really spell out that limitation.
> How about changing the CREATEROLE privilege to be associated with a
> specific database instead of affecting all databases?
Well just on the grounds that it would break every current user of
CREATE ROLE... that's probably not going to happen. I could imagine
there could be some syntax sugar for this. But I don't think it would
be any nicer as you would probably need to REVOKE PUBLIC and inherit
anyway. Not to mention I'm not sure what the semantics would be or
where it gets its 'default' permissions. A ruff idea would be for
each database (except the connected one) REVOKE ALL on database. Of
course feel free to flesh it out and submit a patch :). In any event
its certainly too late for 9.0 and would not be back patched anyway...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andy Yoder | 2010-02-25 16:36:25 | Tool for determining field usage of database tables |
| Previous Message | Dominik Sander | 2010-02-25 15:52:32 | Boolean partition constraint behaving strangely |