Re: Fwd: Identify system databases

On Wed, Apr 16, 2025 at 4:39 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Laurenz Albe <laurenz.albe@cybertec.at> writes:
> > On Wed, 2025-04-16 at 10:09 +0200, Dominique Devienne wrote:

So in a way, you guys are saying one should never REVOKE CONNECT ON
DATABASE FROM PUBLIC?

All my DBs are not PUBLIC-accessible.
And inside my DBs, I try to revoke everything from PUBLIC
(USAGE ON TYPES, EXECUTE ON ROUTINES).
Nor do I use the public schema.
And I never use the "built-in" postgres database.
Basically I want all GRANTs to be explicit.

Given the above, I'd want to not provide access to the postgres DB too.
Yet have a way to discover which DBs I can connect to, from the "cluster only".
Naively.

Sounds like you are saying use the "postgres" DB for that, and move on. --DD

D:\>ppg -c acme -d postgres database_ --acls
Connected OK (postgresql://ddevienne@acme/postgres); with SSL
|----------|----------|-----------|-----------|
| Grantor  | Grantee  | Privilege | Grantable |
|----------|----------|-----------|-----------|
| postgres | PUBLIC   | TEMPORARY |    NO     |
| postgres | PUBLIC   | CONNECT   |    NO     |
| postgres | postgres | CREATE    |    NO     |
| postgres | postgres | TEMPORARY |    NO     |
| postgres | postgres | CONNECT   |    NO     |
|----------|----------|-----------|-----------|
5 ACLs to 2 Grantees from 1 Grantor