Yes. It is NEVER a good idea to use GRANT ALL on objects for users. Some people use that as a short cut for allowing access to schemas and tables, but in essence, it allows the users to do much more, and that is BAD!
http://www.postgresql.org/docs/9.3/interactive/sql-grant.html On Tue, Jun 2, 2015 at 2:08 PM, Steve Pribyl <steve.pri...@akunacapital.com> wrote: > They all look like this. > > CREATE ROLE dbA > NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION; > > Steve Pribyl > > ________________________________________ > From: Adrian Klaver <adrian.kla...@aklaver.com> > Sent: Tuesday, June 2, 2015 1:06 PM > To: Steve Pribyl; Joshua D. Drake; pgsql-general@postgresql.org > Subject: Re: [GENERAL] postgres db permissions > > On 06/02/2015 10:50 AM, Steve Pribyl wrote: > > Josh, > > > > Via psql: > > CREATE ROLE bob LOGIN > > NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION; > > GRANT dbA TO bob; > > GRANT dbA_ro TO bob; > > GRANT dbB TO bob; > > GRANT dbB_ro TO bob; > > > > dbA, dbA_ro, dbB, and dbB_ro are roles. > > The burning question would be, how where they created? > > > > > I have not created any database yet or assigned permissions to the roles. > > > > Steve Pribyl > > > > > > > > ________________________________________ > > From: pgsql-general-ow...@postgresql.org < > pgsql-general-ow...@postgresql.org> on behalf of Joshua D. Drake < > j...@commandprompt.com> > > Sent: Tuesday, June 2, 2015 12:44 PM > > To: pgsql-general@postgresql.org > > Subject: Re: [GENERAL] postgres db permissions > > > > On 06/02/2015 10:36 AM, Steve Pribyl wrote: > >> > >> Good Afternoon, > >> > >> Built a fresh 9.3. postgres server and added some users and noticed > that any user can create tables in any database including the postgres > database by default. > >> > >> Have I missed some step in securing the default install? > > > > How exactly did you add the users? > > > > JD > > > > > > > > -- > > Command Prompt, Inc. - http://www.commandprompt.com/ 503-667-4564 > > PostgreSQL Centered full stack support, consulting and development. > > Announcing "I'm offended" is basically telling the world you can't > > control your own emotions, so everyone else should do it for you. > > > > > > -- > > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > > To make changes to your subscription: > > http://www.postgresql.org/mailpref/pgsql-general > > ________________________________ > > [http://www.akunacapital.com/images/akuna.png] > > Steve Pribyl | Senior Systems Engineer > > Akuna Capital LLC > > 36 S Wabash, Suite 310 Chicago IL 60603 USA | www.akunacapital.com < > http://www.akunacapital.com> > > p: +1 312 994 4646 | m: 847-343-2349 | f: +1 312 750 1667 | > steve.pri...@akunacapital.com > > > > Please consider the environment, before printing this email. > > > > This electronic message contains information from Akuna Capital LLC that > may be confidential, legally privileged or otherwise protected from > disclosure. This information is intended for the use of the addressee only > and is not offered as investment advice to be relied upon for personal or > professional use. Additionally, all electronic messages are recorded and > stored in compliance pursuant to applicable SEC rules. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, printing or any other use of, or any action in reliance on, > the contents of this electronic message is strictly prohibited. If you have > received this communication in error, please notify us by telephone at > (312)994-4640 and destroy the original message. > > > > > > > -- > Adrian Klaver > adrian.kla...@aklaver.com > ________________________________ > [http://www.akunacapital.com/images/akuna.png] > Steve Pribyl | Senior Systems Engineer > Akuna Capital LLC > 36 S Wabash, Suite 310 Chicago IL 60603 USA | www.akunacapital.com < > http://www.akunacapital.com> > p: +1 312 994 4646 | m: 847-343-2349 | f: +1 312 750 1667 | > steve.pri...@akunacapital.com > > Please consider the environment, before printing this email. > > This electronic message contains information from Akuna Capital LLC that > may be confidential, legally privileged or otherwise protected from > disclosure. This information is intended for the use of the addressee only > and is not offered as investment advice to be relied upon for personal or > professional use. Additionally, all electronic messages are recorded and > stored in compliance pursuant to applicable SEC rules. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, printing or any other use of, or any action in reliance on, > the contents of this electronic message is strictly prohibited. If you have > received this communication in error, please notify us by telephone at > (312)994-4640 and destroy the original message. > > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general > -- *Melvin Davidson* I reserve the right to fantasize. Whether or not you wish to share my fantasy is entirely up to you.
