为什么PostgreSQL中的新用户可以连接到所有数据库? [英] Why new user in PostgreSQL can connect to all databases?
问题描述
我安装了PostgreSQL 9数据库(从Oracle10g迁移),我对用户/角色管理感到非常困惑。当我使用 CREATE USER 或 CREATE ROLE 之类的SQL命令或通过Navicat工具创建新用户时,创建的用户可以看到所有数据库!他真的可以连接他们!尽管他无法从表格中选择任何数据,但可以看到表格对象和序列等。我试图撤销连接特权,但没有效果。我曾期望新用户没有特权并且看不到任何东西。我真的不知道他为什么可以。
I installed PostgreSQL 9 database (migration from Oracle10g) and I am realy confused by user/role management. When I create new user using SQL command like CREATE USER or CREATE ROLE, or by Navicat tool, created user can see all databases! He realy can connect them! Although he can't select any data from table, he can see table objects and sequences and so on. I was trying revoke connect privilegia but no effect. I was expected the new user has no privilegia and cant see anything. I really don't know why he can.
推荐答案
来自 http://www.postgresql.org/docs/9.2/static/sql-grant.html# SQL-GRANT-DESCRIPTION-OBJECTS (重点是我的):
PostgreSQL将某些类型的对象的默认特权授予
PUBLIC。默认情况下,在表,列,模式或表空间上,不授予PUBLIC特权。对于其他类型,授予PUBLIC的默认特权如下:CONNECT和为数据库创建温度表;EXECUTE的功能特权;和USAGE语言特权。当然,对象所有者可以REVOKE既具有默认特权又具有明确授予的特权。 (为了获得最大的安全性,请在创建对象的同一事务中发出REVOKE;然后没有其他用户可以在其中使用该对象的窗口。)此外,这些初始默认设置可以使用更改默认权限命令来更改权限设置。
PostgreSQL grants default privileges on some types of objects to
PUBLIC. No privileges are granted toPUBLICby default on tables, columns, schemas or tablespaces. For other types, the default privileges granted toPUBLICare as follows:CONNECTandCREATE TEMP TABLEfor databases;EXECUTEprivilege for functions; andUSAGEprivilege for languages. The object owner can, of course,REVOKEboth default and expressly granted privileges. (For maximum security, issue theREVOKEin the same transaction that creates the object; then there is no window in which another user can use the object.) Also, these initial default privilege settings can be changed using the ALTER DEFAULT PRIVILEGES command.
为了删除所有未指定用户的所有特权(包括 CONNECT )在数据库上,使用:
In order to remove all privileges (including CONNECT) for all unspecified users on a database, use:
REVOKE ALL PRIVILEGES ON DATABASE <database> FROM public;
另请参见:
- PostgreSQL: View database connect permissions
- http://wiki.postgresql.org/wiki/Shared_Database_Hosting
这篇关于为什么PostgreSQL中的新用户可以连接到所有数据库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
