[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: common database policy/infrastracture

On Thu, 2004-12-23 at 11:52 +0100, Karsten Hilbert wrote:
> > In PostgreSQL, any user that can create other users is the equivalent of
> > superuser;
> Or so the 7.4 docs say.
> 
> > he can do anything to any database.
> If that were so ...
> 
> > It is not acceptable for
> > a database application package to create such users.
> ... this would hold true.
> 
> However, if I create a table as "postgres" in a database and
> then connect as user "gm-dbowner" (which is our application
> admin account with CREATEUSER and CREATEDB rights) I can *not*
> insert into that table. Which seems to go contrary to what the
> docs say.
> 
> Also, usesuper in pg_user is FALSE for gm-dbowner.
> 
> What is the definitive deal ?

The createuser script will set usesuper to true if the --adduser option
is given; so does the CREATE USER statement if the CREATEUSER option is
given.  You can subsequently set usesuper to false, but I don't feel at
all happy with the idea of creating a superuser at any point.  Better to
have the existing postgres user create any other needed users.

-- 
Oliver Elphick                                          olly@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA  92C8 39E7 280E 3631 3F0E  1EC0 5664 7A2F A543 10EA
                 ========================================
     "And this shall be a sign unto you; Ye shall find the 
      babe wrapped in swaddling clothes, lying in a manger."
                              Luke 2:12
Reply to: