Re: User with "almost" superuser privileges

Поиск
Список
Период
Сортировка
От Daniel Gomez Blanco
Тема Re: User with "almost" superuser privileges
Дата
Msg-id CAL4HELedcN+5XpenZbNC5V=-BbOgJHu6QPTZDRyQjnxC+M75GA@mail.gmail.com
обсуждение исходный текст
Ответ на User with "almost" superuser privileges  (Daniel Gomez Blanco <nanodgb@gmail.com>)
Ответы Re: User with "almost" superuser privileges
Список pgsql-novice
Дерево обсуждения

Hi Brauner,

Thanks for your response. What I'm doing now is that, I create a user:

create user admin with password 'password' createdb createrole createuser;

And then grant some privleges, e.g.:

grant execute on function current_setting(setting_name text) to admin with grant option;

I'm grating all the functionality this "almost superuser" needs, expect the functions I disallow (like pg_ls_dir for example). But I still don't know if I'm granting all the functionality a superuser has. What would be great is some documentation explaining a bit more what a superuser is able to do. Unfortunately, I haven't found any. All I have found is some random "you need to be superuser to do this", but not a complete list of what a superuser can do...

Cheers,

Daniel


On 18 July 2013 15:41, Brauner Oliveira <brauner.rno@gmail.com> wrote:
A SUPERUSER will bypass every database privileges (if it have a right entry in pg_hba), so if you want to create an "almost superuser" you'll have to look at GRANT and REVOKE (that have no effect to superusers). You may also create a role with CREATEDB then create the database you want. Take a look at: http://www.postgresql.org/docs/9.2/static/ddl-priv.html.

I hope this has helped, sorry for my bad english.

brno


2013/7/18 Daniel Gomez Blanco <nanodgb@gmail.com>
Hello,

I'd like to create a user that is almost a superuser, but without some privileges. I cannot create a superuser and then revoke privileges from them, because by definition nothing can be revoked from superusers. So how can I know what a superuser is able to execute compared to a user with the rest of attributes, but without superuser? If I knew this I could grant those privileges after I create the user.

Cheers,

Daniel


В списке pgsql-novice по дате отправления: