[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: common database policy/infrastracture

On Tue, 2004-12-21 at 20:27 +0100, Karsten Hilbert wrote:
> > i don't think the user is by default granted create user and create
> > db rights, at least in mysql.  i'm really out of my area of expertise
> > with pgsql, so it may be different there.
> No, same thing.
> > in mysql, at least, that
> > would be of some concern to me as a sysadmin/dba that one of my database
> > applications could potentially have full administrative access to
> > all the databases on my system.
> a) our applications don't use that user
> b) the user only has create-database and create-user which
>    means it can create new databases and delete databases
>    owned by itself, same with users: create new ones and
>    delete those created by itself
> c) the user does not have administrative access to other
>    databases
> d) in fact, that user does not have "administrative" access at
>    all in that that would be something generic, it only has
>    the added rights to manage "it's" databases/users

In PostgreSQL, any user that can create other users is the equivalent of
superuser; he can do anything to any database.  It is not acceptable for
a database application package to create such users.  It is OK to create
a user that can create databases, however.

Oliver Elphick                                          olly@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA  92C8 39E7 280E 3631 3F0E  1EC0 5664 7A2F A543 10EA
     "And this shall be a sign unto you; Ye shall find the 
      babe wrapped in swaddling clothes, lying in a manger."
                              Luke 2:12 

Reply to: