Обсуждение: Connect to db denied for superuser inherited by group

Unexpected behavior when trying to connect to a database. Facts:
1) The privilege to connect to the database was revoked from public.
2) User without superuser privileges uses a role with superuser rights (usage confirmed with SHOW current_role.)
3) Unecpected Message: FATAL: permission denied for database "db" DETAIL: User does not have CONNECT privilege.

After granting one of the listed privileges it is working as expected.
1) granting superuser to user 
2) granting connect to db for user
3) granting connect to db to group 
3) granting connect to db to public

What am I missing?  --Michael

Greetings,

* Michael.Dietrich@swisscom.com (Michael.Dietrich@swisscom.com) wrote:
> Unexpected behavior when trying to connect to a database. Facts:
> 1) The privilege to connect to the database was revoked from public.
> 2) User without superuser privileges uses a role with superuser rights (usage confirmed with SHOW current_role.)

Please provide more details about what this step #2 actually means.

> 3) Unecpected Message: FATAL: permission denied for database "db" DETAIL: User does not have CONNECT privilege.

Details about exactly what you're doing to connect here would be
helpful.

> After granting one of the listed privileges it is working as expected.
> 1) granting superuser to user
> 2) granting connect to db for user
> 3) granting connect to db to group
> 3) granting connect to db to public
>
> What am I missing?  --Michael

CONNECT privileges are needed to be able to connect to the database, so
it's not surprising that you needed to GRANT them to the user after
REVOKE'ing them from PUBLIC.  What's not clear is what you're actually
trying to do and what you're expecting to work that apparently isn't.

Thanks!

Stephen

Stephen Frost <sfrost@snowman.net> writes:
> * Michael.Dietrich@swisscom.com (Michael.Dietrich@swisscom.com) wrote:
>> 2) User without superuser privileges uses a role with superuser rights (usage confirmed with SHOW current_role.)

> Please provide more details about what this step #2 actually means.

If you mean that you did "GRANT superuserrole TO nonsuperuser", this
does not make "nonsuperuser" into a superuser; it merely allows
"nonsuperuser" to use whatever ordinary privileges might've been
granted to "superuserrole".  If you did that with the bootstrap
superuser, this would include ownership rights on all built-in
objects, so it'd still be pretty darn dangerous; but it does not
give the ability to ignore privileges for other objects.

            regards, tom lane

What I've done

CREATE ROLE superrole WITH  NOLOGIN  SUPERUSER ..;
CREATE USER nosuperuser WITH LOGIN NOSUPERUSER INHERIT ..;
GRANT superrole TO nosuperuser WITH ADMIN OPTION;
REVOKE CONNECT ON DATABASE nonpublicdb FROM public ;

psql -d postgres -U nosupuser

postgres=# set role superrole;

postgres=# \c nonpublicdb
FATAL:  permission denied for database " nonpublicdb "
DETAIL:  User does not have CONNECT privilege.

I expect that the connection to the database is allowed since a role with superuser is used.  (I don't' expect any
differencebetween using a role (including superuser) or a user (including superuser).) 

Postgres Version: PostgreSQL 9.5.2 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4),
64-bit

Regards --Michael


-----Ursprüngliche Nachricht-----
Von: Stephen Frost [mailto:sfrost@snowman.net]
Gesendet: Freitag, 16. März 2018 14:43
An: Dietrich Michael, INI-ONE-CIS-GSV-MFS <Michael.Dietrich@swisscom.com>
Cc: pgsql-admin@lists.postgresql.org
Betreff: Re: Connect to db denied for superuser inherited by group

Greetings,

* Michael.Dietrich@swisscom.com (Michael.Dietrich@swisscom.com) wrote:
> Unexpected behavior when trying to connect to a database. Facts:
> 1) The privilege to connect to the database was revoked from public.
> 2) User without superuser privileges uses a role with superuser rights
> (usage confirmed with SHOW current_role.)

Please provide more details about what this step #2 actually means.

> 3) Unecpected Message: FATAL: permission denied for database "db" DETAIL: User does not have CONNECT privilege.

Details about exactly what you're doing to connect here would be helpful.

> After granting one of the listed privileges it is working as expected.
> 1) granting superuser to user
> 2) granting connect to db for user
> 3) granting connect to db to group
> 3) granting connect to db to public
>
> What am I missing?  --Michael

CONNECT privileges are needed to be able to connect to the database, so it's not surprising that you needed to GRANT
themto the user after REVOKE'ing them from PUBLIC.  What's not clear is what you're actually trying to do and what
you'reexpecting to work that apparently isn't. 

Thanks!

Stephen

<Michael.Dietrich@swisscom.com> writes:
> What I've done
> CREATE ROLE superrole WITH  NOLOGIN  SUPERUSER ..;    
> CREATE USER nosuperuser WITH LOGIN NOSUPERUSER INHERIT ..;
> GRANT superrole TO nosuperuser WITH ADMIN OPTION;
> REVOKE CONNECT ON DATABASE nonpublicdb FROM public ;

> psql -d postgres -U nosupuser

> postgres=# set role superrole;

> postgres=# \c nonpublicdb
> FATAL:  permission denied for database " nonpublicdb "
> DETAIL:  User does not have CONNECT privilege.

> I expect that the connection to the database is allowed since a role
> with superuser is used.

You're misunderstanding what psql's \c command does.  In this form,
it attempts a connection with the new database name, but the same
username as the previous connection, ie nosupuser.  It doesn't know
anything about SET ROLE commands you may have issued to the server
while connected.

            regards, tom lane