Discussion:
REVOKE not working...
(too old to reply)
Joe Maldonado
2004-10-20 14:17:10 UTC
Permalink
Hello all,
I have created users for which I have restricted access to SELECT
from a set of tables, this works :)
But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser;
The user can still create tables...I've also issued this command for the
SCHEMA and still no go.

Is this a known problem, if so how can I restrict users from creating
objects in my db?

Thanks,

-Joe

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
Scott Marlowe
2004-10-20 15:45:20 UTC
Permalink
Post by Joe Maldonado
Hello all,
I have created users for which I have restricted access to SELECT
from a set of tables, this works :)
But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser;
The user can still create tables...I've also issued this command for the
SCHEMA and still no go.
Is this a known problem, if so how can I restrict users from creating
objects in my db?
Is myuser a superuser? If so, you can revoke all you want and he'll
still be able to do anything he wants. Also, I think that if myuser
owns the current database he can always create tables in it.


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html
Joe Maldonado
2004-10-21 16:49:24 UTC
Permalink
Post by Scott Marlowe
Post by Joe Maldonado
Hello all,
I have created users for which I have restricted access to SELECT
from a set of tables, this works :)
But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser;
The user can still create tables...I've also issued this command for the
SCHEMA and still no go.
Is this a known problem, if so how can I restrict users from creating
objects in my db?
Is myuser a superuser? If so, you can revoke all you want and he'll
still be able to do anything he wants. Also, I think that if myuser
owns the current database he can always create tables in it.
myuser is not a superuser. is the public schema special in that you
cannot revoke create privileges from users accessing it?

-Joe
Post by Scott Marlowe
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faqs/FAQ.html
---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match
Scott Marlowe
2004-10-21 20:06:23 UTC
Permalink
Post by Joe Maldonado
Post by Scott Marlowe
Post by Joe Maldonado
Hello all,
I have created users for which I have restricted access to SELECT
from a set of tables, this works :)
But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser;
The user can still create tables...I've also issued this command for the
SCHEMA and still no go.
Is this a known problem, if so how can I restrict users from creating
objects in my db?
Is myuser a superuser? If so, you can revoke all you want and he'll
still be able to do anything he wants. Also, I think that if myuser
owns the current database he can always create tables in it.
myuser is not a superuser. is the public schema special in that you
cannot revoke create privileges from users accessing it?
Is myuser the creator of the database in question?


---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org
Joe Maldonado
2004-10-22 13:12:49 UTC
Permalink
Post by Scott Marlowe
Post by Joe Maldonado
Post by Scott Marlowe
Post by Joe Maldonado
Hello all,
I have created users for which I have restricted access to SELECT
from a set of tables, this works :)
But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser;
The user can still create tables...I've also issued this command for the
SCHEMA and still no go.
Is this a known problem, if so how can I restrict users from creating
objects in my db?
Is myuser a superuser? If so, you can revoke all you want and he'll
still be able to do anything he wants. Also, I think that if myuser
owns the current database he can always create tables in it.
myuser is not a superuser. is the public schema special in that you
cannot revoke create privileges from users accessing it?
Is myuser the creator of the database in question?
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
http://archives.postgresql.org
Nope.

-Joe

---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings
Stephan Szabo
2004-10-22 13:33:58 UTC
Permalink
Post by Scott Marlowe
Post by Joe Maldonado
Post by Scott Marlowe
Post by Joe Maldonado
Hello all,
I have created users for which I have restricted access to SELECT
from a set of tables, this works :)
But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser;
The user can still create tables...I've also issued this command for the
SCHEMA and still no go.
Is this a known problem, if so how can I restrict users from creating
objects in my db?
Is myuser a superuser? If so, you can revoke all you want and he'll
still be able to do anything he wants. Also, I think that if myuser
owns the current database he can always create tables in it.
myuser is not a superuser. is the public schema special in that you
cannot revoke create privileges from users accessing it?
Is myuser the creator of the database in question?
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
http://archives.postgresql.org
Nope.
I think Tom said this, but myuser probably doesn't have permission on the
schema, it's probably getting the PUBLIC ("world") permission. You might
need to revoke create on schema public from public; and then grant rights
to users or groups that you want to give permissions to.

---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend
Joe Maldonado
2004-10-22 14:51:14 UTC
Permalink
Post by Stephan Szabo
Post by Scott Marlowe
Post by Joe Maldonado
Post by Scott Marlowe
Post by Joe Maldonado
Hello all,
I have created users for which I have restricted access to SELECT
from a set of tables, this works :)
But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser;
The user can still create tables...I've also issued this command for the
SCHEMA and still no go.
Is this a known problem, if so how can I restrict users from creating
objects in my db?
Is myuser a superuser? If so, you can revoke all you want and he'll
still be able to do anything he wants. Also, I think that if myuser
owns the current database he can always create tables in it.
myuser is not a superuser. is the public schema special in that you
cannot revoke create privileges from users accessing it?
Is myuser the creator of the database in question?
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
http://archives.postgresql.org
Nope.
I think Tom said this, but myuser probably doesn't have permission on the
schema, it's probably getting the PUBLIC ("world") permission. You might
need to revoke create on schema public from public; and then grant rights
to users or groups that you want to give permissions to.
---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend
Thanks !!! that did it.

-Joe

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Tom Lane
2004-10-21 03:34:04 UTC
Permalink
Post by Joe Maldonado
But when I issue a REVOKE CREATE ON DATABASE mydb FROM myuser;
The user can still create tables...
CREATE privilege on a database concerns the right to create schemas
within the database. Whether you can create tables within a schema
is a different privilege on a different object. In particular, the
default setup is that everyone can create tables within the "public"
schema in each database. Revoke CREATE on that (from PUBLIC, not just
myuser) and you'll start to get somewhere.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match
Loading...