Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qVdrC-000o3m-8p for pgsql-novice@arkaria.postgresql.org; Mon, 14 Aug 2023 20:08:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qVdrA-007Gkk-2c for pgsql-novice@arkaria.postgresql.org; Mon, 14 Aug 2023 20:08:04 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qVbvx-006f2i-ND for pgsql-novice@lists.postgresql.org; Mon, 14 Aug 2023 18:04:53 +0000 Received: from mail-ot1-x332.google.com ([2607:f8b0:4864:20::332]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qVbvv-0007fZ-CK for pgsql-novice@lists.postgresql.org; Mon, 14 Aug 2023 18:04:52 +0000 Received: by mail-ot1-x332.google.com with SMTP id 46e09a7af769-6bcb15aa074so2848311a34.0 for ; Mon, 14 Aug 2023 11:04:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692036290; x=1692641090; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dOAHwI2ZNWE/fxJL8/BlLqwghf56SaSKMWxZiyRLW0U=; b=kOIxYuH3afDYVvFCcdW3pjYjgFDpIEprvAJBKYee6tn/XMI/JJv4AK9M8IwClYMjqL 0EY6ynZAqgV6xX/ChUgR/JTUSI2WnYF2MPn0Yp4CprQizwJrh+GEnuvy+yY3rP+6OjVc SOcYLNbEahVfQrJ8WZ46h3zZGx/1Izy9Mt6N6KRRGeZ7WJ7/TueJvd1tijJKeIRmIaEB 5uItgpT9UMKshDqR/2nzo8G3LpRe6MIFtddPU+gbh+UnINctxMNCnXsZMEJ7zl5sMkeI waIhjiTK+iYf8pkfm3JrDgaytGRqI2nxeLxLXy3IkqQEUteaIKjINpcq+1oqqFSCi+H6 Txjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692036290; x=1692641090; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dOAHwI2ZNWE/fxJL8/BlLqwghf56SaSKMWxZiyRLW0U=; b=PWwxlyn6InukerFh5HUnSHNA88Zw7jbRKRZ52TL47O/ONEVCF1FYaBWPstr/vCtHWx EJ6tWMMpBqLIuoU7d148eKHpyTFBZZd2iXH4sx7UrwcMglXJa8wRAnQF2L7hRf6NuqlB zqR1c9EKkWBrhZ4uRCYbJvk0Bg6YM4W38252qIB9xge6C+EQotrWRUm6YsbVYX8A7GHS PBaey5p+IImhvaLnpEKRQhcS7RZMKZld4tY7SnTO0eU5Q9TA7tEkzBhJAPT7vI5vVrdf fA+KVrGt2oS6UbqBAONjcRONH617eCGOdDCmGchwZL3YevTe0gJ6DWrVdWY59aw3YBOf HStg== X-Gm-Message-State: AOJu0YzNd6PxnUhJ+q6D4DGSW52CCOwe6eEuiMheTXJ+i0NcOiTCdnXI tPMnqYHpuTm97w2BIORLdjAAcPdP8Lt6rA4VbEo= X-Google-Smtp-Source: AGHT+IE0b2SDmyFbE26YBsik2xduj9XaUbrKpO5rPZDKa8Ig1G0CQpw2lZu5yPF/vrtrxseLUHVUdJmXFNbJXqRv1Qs= X-Received: by 2002:a05:6830:310c:b0:6b8:b83c:a1f8 with SMTP id b12-20020a056830310c00b006b8b83ca1f8mr9321539ots.19.1692036290658; Mon, 14 Aug 2023 11:04:50 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "David G. Johnston" Date: Mon, 14 Aug 2023 11:04:33 -0700 Message-ID: Subject: Re: create read-only and revoke create function? To: Ron Watkins Cc: pgsql-novice@lists.postgresql.org Content-Type: multipart/alternative; boundary="0000000000000d46200602e5e6af" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000000d46200602e5e6af Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Aug 14, 2023 at 8:20=E2=80=AFAM Ron Watkins wrot= e: > > GRANT "RO_Role" to ; > GRANT SELECT ON TABLE TO "RO_Role"; > GRANT EXECUTE ON FUNCTION TO "RO_ROLE"; > > On one server, this seems to have limited the users ability to write to > tables, but on the other server it didn't work, they can still write to > tables. > Then the other server has permissions being granted to those users roles that the first one doesn't. Fix that. > As for the functions, they can still create. Not sure how to prevent this > from happening. > Suggestions? > > You seem to be missing default privileges for the PUBLIC group - in particular I suspect you are seeing the ability to create stuff on the public schema by PUBLIC. If you revoke that you should be good. Every role is read-only (in the sense of being unable to modify schema directly) by default, aside from whatever it inherits from PUBLIC and any other default privileges you may have setup. If you are able to do something you shouldn't, you need to figure out where that privilege is coming from and either remove it or remove the membership (you cannot remove membership in PUBLIC). David J. --0000000000000d46200602e5e6af Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Aug 14, 2023 at 8:20=E2=80=AFAM Ron Watkins <rwatki@gmail.com> wrote:

GRANT "RO_Rol= e" to <users>;
GRANT SELECT ON TABLE <tablename>= TO "RO_Role";
GRANT EXECUTE ON FUNCTION <functions&= gt; TO "RO_ROLE";

On one server, this se= ems to have limited the users ability to write to tables, but on the other = server it didn't work, they can still write to tables.

Then the other=C2=A0server has permissions = being granted to those users roles that the first one doesn't.=C2=A0 Fi= x that.


As for the functions, they can s= till create. Not sure how to prevent this from happening.
Suggest= ions?


You se= em to be missing default privileges for the PUBLIC group - in particular I = suspect you are seeing the ability to create stuff on the public schema by = PUBLIC.=C2=A0 If you revoke that you should be good.

E= very role is read-only (in the sense of being unable to modify schema direc= tly) by default, aside from whatever it inherits from PUBLIC and any other = default privileges you may have setup.=C2=A0 If you are able to do somethin= g you shouldn't, you need to figure out where that privilege is coming = from and either remove it or remove the membership (you cannot remove membe= rship in PUBLIC).

David J.


--0000000000000d46200602e5e6af--