Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qoUJp-001SAY-QT for pgsql-hackers@arkaria.postgresql.org; Thu, 05 Oct 2023 19:47:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qoUJn-00HNSa-JW for pgsql-hackers@arkaria.postgresql.org; Thu, 05 Oct 2023 19:47:32 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qoUJn-00HNRS-92 for pgsql-hackers@lists.postgresql.org; Thu, 05 Oct 2023 19:47:32 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qoUJl-000Dsq-HV for pgsql-hackers@lists.postgresql.org; Thu, 05 Oct 2023 19:47:31 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 395JlRdF2816432; Thu, 5 Oct 2023 15:47:27 -0400 From: Tom Lane To: Rajesh Mittal cc: pgsql-hackers@lists.postgresql.org Subject: Re: Rights Control within DB (which SuperUser cannot access, but user can) In-reply-to: References: Comments: In-reply-to Rajesh Mittal message dated "Fri, 06 Oct 2023 01:08:59 +0530" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <2816430.1696535247.1@sss.pgh.pa.us> Date: Thu, 05 Oct 2023 15:47:27 -0400 Message-ID: <2816431.1696535247@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Rajesh Mittal writes: > Is there a way, where an authorized user (Creates Table / Inserts Data) in > a DB, which the SuperUser cannot access the same. > I understand SuperUser can revoke the access of the user, but he should not > be able to see the table structure and data inserted in those tables. You might be able to do something with contrib/sepgsql, if you're on a selinux-enabled platform. But TBH the correct solution here is to not give out superuser to people you don't trust. There is no way that you're likely to make an entirely bulletproof setup. (Consider, just to begin with, how you're going to prevent a rogue superuser from de-installing sepgsql, or even simply doing "set role other_user".) Also keep in mind that "prevent user A from seeing the structure of user B's tables" is not part of Postgres' threat models at all. Most system catalogs are world-readable, and you can't change that without breaking an awful lot of tools. If you don't like this, a plausible answer is to give each user their own database. regards, tom lane