Re: [GENERAL] Re: grant privileges to a database

On Wed, Jan 31, 2001 at 03:39:46PM -0700, some SMTP stream spewed forth:
> : El Mié 31 Ene 2001 18:32, Dan Wilson escribió:
> : > You can do this in phpPgAdmin... it's a hack because it just pulls in
> all
> : > the objects/relations and runs a single grant statement on them, but it
> : > works.  It puts together a query like the following:
> : >
> : > GRANT ALL ON table1, table2, table3, view1, view2, sequence1, sequence2
> TO
> : > user
> : >
> : > Which I suppose you can do manually if you don't have phpPgAdmin
> installed.
> : >
> : > It ain't the prettiest, but it works!
> :
> : The problem is that this is not what I'm looking for. I want the user to
> be
> : able to create new tables, views, sequences, etc on that database.
>
> Oh, if you want to do that, then you don't have to do any granting of
> priviledges.  It seems that Postgres allows any user to create a table on a

Er, to delete anything, the user would need to be a superuser.
Else, nyet, not necessary.

> database.  Even if the user is not the owner of the database.  AFAIK, there
> are no acl's associated with the database.

For the heck of it, I will certify that this is correct.

>
> I've posed this question before and have not received any response, but is
> this an undocumented feature or a sercurity bug?  Personally, I don't think
> anyone should be able to create relations on a database they do not own.

It is both, depending on how you use it. ;-)

I would and do consider it a blindingly silly security risk, but
apparently nobody else does. I asked before, but...
Just why the hell would somebody want *any* user of *any* database to be
able to *create* anything under *any* other database?!?


dan

;-)

>
> -Dan
>