Обсуждение: Permissions problem

Поиск
Список
Период
Сортировка

Permissions problem

От
noy
Дата:
Hi,

I am having problems with permissions in postgres. I am using version 7.1.3 of
Postgres running on RedHat 7.2. 

I create the table "accounts" and revoke all permissions for the PUBLIC user:  
accounts | {"=","dcl=arwR"}

However, any user can make a select or update in the table "accounts".

Can anybody help me?!

Thanks a lot.

Re: Permissions problem

От
Tom Lane
Дата:
noy <noyda@isoco.com> writes:
> However, any user can make a select or update in the table "accounts".

Surely not.

test71=# select version();                            version
------------------------------------------------------------------PostgreSQL 7.1.3 on hppa2.0-hp-hpux10.20, compiled by
GCC2.95.3
 
(1 row)

test71=# create user foo;
CREATE USER
test71=# create user bar;
CREATE USER
test71=# \c - foo
You are now connected as new user foo.
test71=> create table accounts (f1 int);
CREATE
test71=> insert into accounts values(1);
INSERT 1587112 1
test71=> revoke all on accounts from public;
CHANGE
test71=> \z accounts
Access privileges for database "test71" Table   | Access privileges
----------+-------------------accounts | {"=","foo=arwR"}
(1 row)

test71=> select * from accounts;f1
---- 1
(1 row)

test71=> \c - bar
You are now connected as new user bar.
test71=> select * from accounts;
ERROR:  accounts: Permission denied.
test71=> update accounts set f1 = 2;
ERROR:  accounts: Permission denied.
test71=> 


Perhaps your "any user" is actually a superuser?
        regards, tom lane

Re: Permissions problem

От
noy
Дата:
Hi,

Thanks for your help... I had problem with the user's permissions because I
created the users using the shell scripts:

createuser -a login -P

and users created in that way have all the privileges. The man page no makes
references to this. -a, --adduser  Allows the new user to create other users.


Thanks.



Tom Lane wrote:
> 
> noy <noyda@isoco.com> writes:
> > However, any user can make a select or update in the table "accounts".
> 
> Surely not.
> 
> test71=# select version();
>                              version
> ------------------------------------------------------------------
>  PostgreSQL 7.1.3 on hppa2.0-hp-hpux10.20, compiled by GCC 2.95.3
> (1 row)
> 
> test71=# create user foo;
> CREATE USER
> test71=# create user bar;
> CREATE USER
> test71=# \c - foo
> You are now connected as new user foo.
> test71=> create table accounts (f1 int);
> CREATE
> test71=> insert into accounts values(1);
> INSERT 1587112 1
> test71=> revoke all on accounts from public;
> CHANGE
> test71=> \z accounts
> Access privileges for database "test71"
>   Table   | Access privileges
> ----------+-------------------
>  accounts | {"=","foo=arwR"}
> (1 row)
> 
> test71=> select * from accounts;
>  f1
> ----
>   1
> (1 row)
> 
> test71=> \c - bar
> You are now connected as new user bar.
> test71=> select * from accounts;
> ERROR:  accounts: Permission denied.
> test71=> update accounts set f1 = 2;
> ERROR:  accounts: Permission denied.
> test71=>
> 
> Perhaps your "any user" is actually a superuser?
> 
>                         regards, tom lane

Re: Permissions problem

От
Tom Lane
Дата:
noy <noyda@isoco.com> writes:
> Thanks for your help... I had problem with the user's permissions because I
> created the users using the shell scripts:
> createuser -a login -P
> and users created in that way have all the privileges. The man page no makes
> references to this. -a, --adduser  Allows the new user to create other users.

Good point.  It's explained on the man page for the underlying CREATE
USER command, but the page for the createuser script needs to say it
too.  I've committed a fix for 7.2.1.
        regards, tom lane