snippetsqlCritical
Why is a new user allowed to create a table?
Viewed 0 times
whyallowednewcreateusertable
Problem
I'm wondering why a newly created user is allowed to create a table after connecting to a database. I have one database,
So far so good. Now I create a user:
Okay. When I try to connect to the database, the user is not allowed to do so:
This is what I expected. Now the strange stuff starts. I grant the user
```
postgres=# GRANT CONNECT ON DATABASE project2_core TO dietrich;
GRANT
postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
---------------+--------------+-----------+-------------+-------------+-------------------------------
postgres | postgres | SQL_ASCII | C | C |
project2_core | atm_project2 | UTF8 | de_DE.UTF-8 | d
project2_core:postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
---------------+--------------+-----------+-------------+-------------+-------------------------------
postgres | postgres | SQL_ASCII | C | C |
project2_core | atm_project2 | UTF8 | de_DE.UTF-8 | de_DE.UTF-8 | project2=CTc/project2
template0 | postgres | SQL_ASCII | C | C | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | SQL_ASCII | C | C | =c/postgres +
| | | | | postgres=CTc/postgres
(5 rows)So far so good. Now I create a user:
postgres=# CREATE ROLE dietrich ENCRYPTED PASSWORD 'md5XXX' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSEROkay. When I try to connect to the database, the user is not allowed to do so:
$ psql -h localhost -p 5432 -U dietrich -W project2_core
Password for user dietrich:
psql: FATAL: permission denied for database "project2_core"
DETAIL: User does not have CONNECT privilege.This is what I expected. Now the strange stuff starts. I grant the user
CONNECT:```
postgres=# GRANT CONNECT ON DATABASE project2_core TO dietrich;
GRANT
postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
---------------+--------------+-----------+-------------+-------------+-------------------------------
postgres | postgres | SQL_ASCII | C | C |
project2_core | atm_project2 | UTF8 | de_DE.UTF-8 | d
Solution
When you create a new database, any role is allowed to create objects in the
Edit: after the above command, only a superuser may create new objects inside the
To know what
On the other hand,
Regarding this error:
public schema. To remove this possibility, you may issue immediately after the database creation:REVOKE ALL ON schema public FROM public;Edit: after the above command, only a superuser may create new objects inside the
public schema, which is not practical. Assuming a non-superuser foo_user should be granted this privilege, this should be done with:GRANT ALL ON schema public TO foo_user;To know what
ALL means for a schema, we must refer to GRANT in the doc, (in PG 9.2 there are no less than 14 forms of GRANT statements that apply to different things...). It appears that for a schema it means CREATE and USAGE.On the other hand,
GRANT ALL PRIVILEGES ON DATABASE... will grant CONNECT and CREATE and TEMP, but CREATE in this context relates to schemas, not permanent tables.Regarding this error:
ERROR: no schema has been selected to create in, it happens when trying to create an object without schema qualification (as in create table foo(...)) while lacking the permission to create it in any schema of the search_path.Code Snippets
REVOKE ALL ON schema public FROM public;GRANT ALL ON schema public TO foo_user;Context
StackExchange Database Administrators Q#35316, answer score: 73
Revisions (0)
No revisions yet.