Re: RFC: common database policy/infrastracture
On Tue, 2004-12-21 at 20:27 +0100, Karsten Hilbert wrote:
> > i don't think the user is by default granted create user and create
> > db rights, at least in mysql. i'm really out of my area of expertise
> > with pgsql, so it may be different there.
> No, same thing.
> > in mysql, at least, that
> > would be of some concern to me as a sysadmin/dba that one of my database
> > applications could potentially have full administrative access to
> > all the databases on my system.
> a) our applications don't use that user
> b) the user only has create-database and create-user which
> means it can create new databases and delete databases
> owned by itself, same with users: create new ones and
> delete those created by itself
> c) the user does not have administrative access to other
> d) in fact, that user does not have "administrative" access at
> all in that that would be something generic, it only has
> the added rights to manage "it's" databases/users
In PostgreSQL, any user that can create other users is the equivalent of
superuser; he can do anything to any database. It is not acceptable for
a database application package to create such users. It is OK to create
a user that can create databases, however.
Oliver Elphick email@example.com
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
"And this shall be a sign unto you; Ye shall find the
babe wrapped in swaddling clothes, lying in a manger."