Lists: | pgsql-general |
---|
From: | Zoltan Boszormenyi <zb(at)cybertec(dot)at> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | REVOKE CONNECT doesn't work in 8.3.5 |
Date: | 2008-12-19 12:21:37 |
Message-ID: | 494B91D1.4070905@cybertec.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-general |
Hi,
It seems REVOKE CONNECT doesn't work as advertised.
I have "trust" entries in pg_hba.conf because my machine is closed.
I added some PG users, and one of them was used in:
REVOKE CONNECT ON DATABASE zozo FROM hs;
However, user "hs" can happily connect to database "zozo"
despite the REVOKE. Documentation says at
http://www.postgresql.org/docs/8.3/interactive/sql-grant.html :
CONNECT
Allows the user to connect to the specified database.
This privilege is checked at connection startup (in addition to checking
any restrictions imposed by pg_hba.conf).
To me, this means that REVOKE CONNECT is a veto over "trust".
Is it not?
Best regards,
Zoltán Böszörményi
--
Bible has answers for everything. Proofs:
"But let your communication be, Yea, yea; Nay, nay: for whatsoever is more
than these cometh of evil." (Matthew 5:37) - basics of digital technology.
"May your kingdom come" - superstitious description of plate tectonics
----------------------------------
Zoltán Böszörményi
Cybertec Schönig & Schönig GmbH
http://www.postgresql.at/
From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Zoltan Boszormenyi <zb(at)cybertec(dot)at> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: REVOKE CONNECT doesn't work in 8.3.5 |
Date: | 2008-12-19 13:43:35 |
Message-ID: | 6975.1229694215@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-general |
Zoltan Boszormenyi <zb(at)cybertec(dot)at> writes:
> I have "trust" entries in pg_hba.conf because my machine is closed.
> I added some PG users, and one of them was used in:
> REVOKE CONNECT ON DATABASE zozo FROM hs;
> However, user "hs" can happily connect to database "zozo"
> despite the REVOKE.
Unless you had previously done a specific GRANT CONNECT TO hs,
the above command doesn't do a darn thing. The privilege that
actually exists by default is a grant of connect to PUBLIC.
What you need to do is REVOKE FROM PUBLIC, and then GRANT to
whichever users/groups you want to allow to connect.
regards, tom lane
From: | Zoltan Boszormenyi <zb(at)cybertec(dot)at> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: REVOKE CONNECT doesn't work in 8.3.5 |
Date: | 2008-12-19 14:21:35 |
Message-ID: | 494BADEF.9080108@cybertec.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-general |
Tom Lane írta:
> Zoltan Boszormenyi <zb(at)cybertec(dot)at> writes:
>
>> I have "trust" entries in pg_hba.conf because my machine is closed.
>> I added some PG users, and one of them was used in:
>>
>
>
>> REVOKE CONNECT ON DATABASE zozo FROM hs;
>>
>
>
>> However, user "hs" can happily connect to database "zozo"
>> despite the REVOKE.
>>
>
> Unless you had previously done a specific GRANT CONNECT TO hs,
> the above command doesn't do a darn thing. The privilege that
> actually exists by default is a grant of connect to PUBLIC.
> What you need to do is REVOKE FROM PUBLIC, and then GRANT to
> whichever users/groups you want to allow to connect.
>
> regards, tom lane
>
Thanks very much for the clarification. The documentation
doesn't spell it out as clearly. Another possibility is that
I can't read and interpret correctly. :-)
--
Bible has answers for everything. Proofs:
"But let your communication be, Yea, yea; Nay, nay: for whatsoever is more
than these cometh of evil." (Matthew 5:37) - basics of digital technology.
"May your kingdom come" - superstitious description of plate tectonics
----------------------------------
Zoltán Böszörményi
Cybertec Schönig & Schönig GmbH
http://www.postgresql.at/