Обсуждение: Connect to db denied for superuser inherited by group
Unexpected behavior when trying to connect to a database. Facts: 1) The privilege to connect to the database was revoked from public. 2) User without superuser privileges uses a role with superuser rights (usage confirmed with SHOW current_role.) 3) Unecpected Message: FATAL: permission denied for database "db" DETAIL: User does not have CONNECT privilege. After granting one of the listed privileges it is working as expected. 1) granting superuser to user 2) granting connect to db for user 3) granting connect to db to group 3) granting connect to db to public What am I missing? --Michael
Greetings, * Michael.Dietrich@swisscom.com (Michael.Dietrich@swisscom.com) wrote: > Unexpected behavior when trying to connect to a database. Facts: > 1) The privilege to connect to the database was revoked from public. > 2) User without superuser privileges uses a role with superuser rights (usage confirmed with SHOW current_role.) Please provide more details about what this step #2 actually means. > 3) Unecpected Message: FATAL: permission denied for database "db" DETAIL: User does not have CONNECT privilege. Details about exactly what you're doing to connect here would be helpful. > After granting one of the listed privileges it is working as expected. > 1) granting superuser to user > 2) granting connect to db for user > 3) granting connect to db to group > 3) granting connect to db to public > > What am I missing? --Michael CONNECT privileges are needed to be able to connect to the database, so it's not surprising that you needed to GRANT them to the user after REVOKE'ing them from PUBLIC. What's not clear is what you're actually trying to do and what you're expecting to work that apparently isn't. Thanks! Stephen
Вложения
Stephen Frost <sfrost@snowman.net> writes: > * Michael.Dietrich@swisscom.com (Michael.Dietrich@swisscom.com) wrote: >> 2) User without superuser privileges uses a role with superuser rights (usage confirmed with SHOW current_role.) > Please provide more details about what this step #2 actually means. If you mean that you did "GRANT superuserrole TO nonsuperuser", this does not make "nonsuperuser" into a superuser; it merely allows "nonsuperuser" to use whatever ordinary privileges might've been granted to "superuserrole". If you did that with the bootstrap superuser, this would include ownership rights on all built-in objects, so it'd still be pretty darn dangerous; but it does not give the ability to ignore privileges for other objects. regards, tom lane
Stephen Frost <sfrost@snowman.net> writes:
> * Michael.Dietrich@swisscom.com (Michael.Dietrich@swisscom.com) wrote:
>> 2) User without superuser privileges uses a role with superuser rights (usage confirmed with SHOW current_role.)
> Please provide more details about what this step #2 actually means.
If you mean that you did "GRANT superuserrole TO nonsuperuser", this
does not make "nonsuperuser" into a superuser; it merely allows
"nonsuperuser" to use whatever ordinary privileges might've been
granted to "superuserrole".
IOW, the privileges on the "CREATE ROLE" page are not inheritable - inheritance only applies to privileges that are GRANT'ed
David J.
What I've done CREATE ROLE superrole WITH NOLOGIN SUPERUSER ..; CREATE USER nosuperuser WITH LOGIN NOSUPERUSER INHERIT ..; GRANT superrole TO nosuperuser WITH ADMIN OPTION; REVOKE CONNECT ON DATABASE nonpublicdb FROM public ; psql -d postgres -U nosupuser postgres=# set role superrole; postgres=# \c nonpublicdb FATAL: permission denied for database " nonpublicdb " DETAIL: User does not have CONNECT privilege. I expect that the connection to the database is allowed since a role with superuser is used. (I don't' expect any differencebetween using a role (including superuser) or a user (including superuser).) Postgres Version: PostgreSQL 9.5.2 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4), 64-bit Regards --Michael -----Ursprüngliche Nachricht----- Von: Stephen Frost [mailto:sfrost@snowman.net] Gesendet: Freitag, 16. März 2018 14:43 An: Dietrich Michael, INI-ONE-CIS-GSV-MFS <Michael.Dietrich@swisscom.com> Cc: pgsql-admin@lists.postgresql.org Betreff: Re: Connect to db denied for superuser inherited by group Greetings, * Michael.Dietrich@swisscom.com (Michael.Dietrich@swisscom.com) wrote: > Unexpected behavior when trying to connect to a database. Facts: > 1) The privilege to connect to the database was revoked from public. > 2) User without superuser privileges uses a role with superuser rights > (usage confirmed with SHOW current_role.) Please provide more details about what this step #2 actually means. > 3) Unecpected Message: FATAL: permission denied for database "db" DETAIL: User does not have CONNECT privilege. Details about exactly what you're doing to connect here would be helpful. > After granting one of the listed privileges it is working as expected. > 1) granting superuser to user > 2) granting connect to db for user > 3) granting connect to db to group > 3) granting connect to db to public > > What am I missing? --Michael CONNECT privileges are needed to be able to connect to the database, so it's not surprising that you needed to GRANT themto the user after REVOKE'ing them from PUBLIC. What's not clear is what you're actually trying to do and what you'reexpecting to work that apparently isn't. Thanks! Stephen
<Michael.Dietrich@swisscom.com> writes: > What I've done > CREATE ROLE superrole WITH NOLOGIN SUPERUSER ..; > CREATE USER nosuperuser WITH LOGIN NOSUPERUSER INHERIT ..; > GRANT superrole TO nosuperuser WITH ADMIN OPTION; > REVOKE CONNECT ON DATABASE nonpublicdb FROM public ; > psql -d postgres -U nosupuser > postgres=# set role superrole; > postgres=# \c nonpublicdb > FATAL: permission denied for database " nonpublicdb " > DETAIL: User does not have CONNECT privilege. > I expect that the connection to the database is allowed since a role > with superuser is used. You're misunderstanding what psql's \c command does. In this form, it attempts a connection with the new database name, but the same username as the previous connection, ie nosupuser. It doesn't know anything about SET ROLE commands you may have issued to the server while connected. regards, tom lane