Обсуждение: REVOKE not working...
Hello all,
I have created users for which I have restricted access to SELECT
from a set of tables, this works :)
But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser;
The user can still create tables...I've also issued this command for the
SCHEMA and still no go.
Is this a known problem, if so how can I restrict users from creating
objects in my db?
Thanks,
-Joe
On Wed, 2004-10-20 at 08:17, Joe Maldonado wrote: > Hello all, > I have created users for which I have restricted access to SELECT > from a set of tables, this works :) > But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser; > The user can still create tables...I've also issued this command for the > SCHEMA and still no go. > > Is this a known problem, if so how can I restrict users from creating > objects in my db? Is myuser a superuser? If so, you can revoke all you want and he'll still be able to do anything he wants. Also, I think that if myuser owns the current database he can always create tables in it.
Joe Maldonado <jmaldonado@webehosting.biz> writes:
> But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser;
> The user can still create tables...
CREATE privilege on a database concerns the right to create schemas
within the database. Whether you can create tables within a schema
is a different privilege on a different object. In particular, the
default setup is that everyone can create tables within the "public"
schema in each database. Revoke CREATE on that (from PUBLIC, not just
myuser) and you'll start to get somewhere.
regards, tom lane
Scott Marlowe wrote: >On Wed, 2004-10-20 at 08:17, Joe Maldonado wrote: > > >>Hello all, >> I have created users for which I have restricted access to SELECT >>from a set of tables, this works :) >> But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser; >>The user can still create tables...I've also issued this command for the >>SCHEMA and still no go. >> >>Is this a known problem, if so how can I restrict users from creating >>objects in my db? >> >> > >Is myuser a superuser? If so, you can revoke all you want and he'll >still be able to do anything he wants. Also, I think that if myuser >owns the current database he can always create tables in it. > > > > myuser is not a superuser. is the public schema special in that you cannot revoke create privileges from users accessing it? -Joe >---------------------------(end of broadcast)--------------------------- >TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faqs/FAQ.html > >
On Thu, 2004-10-21 at 10:49, Joe Maldonado wrote: > Scott Marlowe wrote: > > >On Wed, 2004-10-20 at 08:17, Joe Maldonado wrote: > > > > > >>Hello all, > >> I have created users for which I have restricted access to SELECT > >>from a set of tables, this works :) > >> But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser; > >>The user can still create tables...I've also issued this command for the > >>SCHEMA and still no go. > >> > >>Is this a known problem, if so how can I restrict users from creating > >>objects in my db? > >> > >> > > > >Is myuser a superuser? If so, you can revoke all you want and he'll > >still be able to do anything he wants. Also, I think that if myuser > >owns the current database he can always create tables in it. > > > > > > > > > myuser is not a superuser. is the public schema special in that you > cannot revoke create privileges from users accessing it? Is myuser the creator of the database in question?
Scott Marlowe wrote: >On Thu, 2004-10-21 at 10:49, Joe Maldonado wrote: > > >>Scott Marlowe wrote: >> >> >> >>>On Wed, 2004-10-20 at 08:17, Joe Maldonado wrote: >>> >>> >>> >>> >>>>Hello all, >>>> I have created users for which I have restricted access to SELECT >>>> >>>> >>>>from a set of tables, this works :) >>> >>> >>>> But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser; >>>>The user can still create tables...I've also issued this command for the >>>>SCHEMA and still no go. >>>> >>>>Is this a known problem, if so how can I restrict users from creating >>>>objects in my db? >>>> >>>> >>>> >>>> >>>Is myuser a superuser? If so, you can revoke all you want and he'll >>>still be able to do anything he wants. Also, I think that if myuser >>>owns the current database he can always create tables in it. >>> >>> >>> >>> >>> >>> >>myuser is not a superuser. is the public schema special in that you >>cannot revoke create privileges from users accessing it? >> >> > >Is myuser the creator of the database in question? > > >---------------------------(end of broadcast)--------------------------- >TIP 6: Have you searched our list archives? > > http://archives.postgresql.org > > Nope. -Joe
On Fri, 22 Oct 2004, Joe Maldonado wrote: > Scott Marlowe wrote: > > >On Thu, 2004-10-21 at 10:49, Joe Maldonado wrote: > > > > > >>Scott Marlowe wrote: > >> > >> > >> > >>>On Wed, 2004-10-20 at 08:17, Joe Maldonado wrote: > >>> > >>> > >>> > >>> > >>>>Hello all, > >>>> I have created users for which I have restricted access to SELECT > >>>> > >>>> > >>>>from a set of tables, this works :) > >>> > >>> > >>>> But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser; > >>>>The user can still create tables...I've also issued this command for the > >>>>SCHEMA and still no go. > >>>> > >>>>Is this a known problem, if so how can I restrict users from creating > >>>>objects in my db? > >>>> > >>>> > >>>> > >>>> > >>>Is myuser a superuser? If so, you can revoke all you want and he'll > >>>still be able to do anything he wants. Also, I think that if myuser > >>>owns the current database he can always create tables in it. > >>> > >>> > >>> > >>> > >>> > >>> > >>myuser is not a superuser. is the public schema special in that you > >>cannot revoke create privileges from users accessing it? > >> > >> > > > >Is myuser the creator of the database in question? > > > > > >---------------------------(end of broadcast)--------------------------- > >TIP 6: Have you searched our list archives? > > > > http://archives.postgresql.org > > > > > Nope. I think Tom said this, but myuser probably doesn't have permission on the schema, it's probably getting the PUBLIC ("world") permission. You might need to revoke create on schema public from public; and then grant rights to users or groups that you want to give permissions to.
Stephan Szabo wrote: >On Fri, 22 Oct 2004, Joe Maldonado wrote: > > > >>Scott Marlowe wrote: >> >> >> >>>On Thu, 2004-10-21 at 10:49, Joe Maldonado wrote: >>> >>> >>> >>> >>>>Scott Marlowe wrote: >>>> >>>> >>>> >>>> >>>> >>>>>On Wed, 2004-10-20 at 08:17, Joe Maldonado wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>Hello all, >>>>>> I have created users for which I have restricted access to SELECT >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>from a set of tables, this works :) >>>>> >>>>> >>>>> >>>>> >>>>>> But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser; >>>>>>The user can still create tables...I've also issued this command for the >>>>>>SCHEMA and still no go. >>>>>> >>>>>>Is this a known problem, if so how can I restrict users from creating >>>>>>objects in my db? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>Is myuser a superuser? If so, you can revoke all you want and he'll >>>>>still be able to do anything he wants. Also, I think that if myuser >>>>>owns the current database he can always create tables in it. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>myuser is not a superuser. is the public schema special in that you >>>>cannot revoke create privileges from users accessing it? >>>> >>>> >>>> >>>> >>>Is myuser the creator of the database in question? >>> >>> >>>---------------------------(end of broadcast)--------------------------- >>>TIP 6: Have you searched our list archives? >>> >>> http://archives.postgresql.org >>> >>> >>> >>> >>Nope. >> >> > >I think Tom said this, but myuser probably doesn't have permission on the >schema, it's probably getting the PUBLIC ("world") permission. You might >need to revoke create on schema public from public; and then grant rights >to users or groups that you want to give permissions to. > >---------------------------(end of broadcast)--------------------------- >TIP 8: explain analyze is your friend > > Thanks !!! that did it. -Joe