On 2005-09-01, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Andrew Dunstan <andrew@dunslane.net> writes:
>> Tom Lane wrote:
>>> Change the ownership of public in template1 to be a "dbadmin" group.
>>> Grant membership in "dbadmin" to all the DB owners. End of problem.
>
>> Won't that suddenly grant the owner of foo_db dbadmin rights in bar_db?
>> That seems to violate the principle of least surprise.
>
> I'm assuming here that the various dbowners aren't even allowed to
> connect to each others' databases.
Which implies either that you limit each dbowner to one db (in which case
why give them createdb privilege in the first place) or that you require
superuser intervention to modify pg_hba for each database created.
--
Andrew, Supernews
http://www.supernews.com - individual and corporate NNTP services